Home page logo

fulldisclosure logo Full Disclosure mailing list archives

(Fwd) how to filter the xmas virus
From: "lsi" <stuart () cyberdelix net>
Date: Fri, 17 Dec 2004 12:59:45 -0000

------- Forwarded message follows -------
From:                   lsi <stuart () cyberdelix net>
To:                     focus-virus () securityfocus com
Subject:                how to filter the xmas virus
Send reply to:          stuart () cyberdelix net
Date sent:              Fri, 17 Dec 2004 12:57:48 -0000

Hmm, the Xmascard virus uses different headers and so skipped past my 
existing filters, until I added the strings below:


What to do with those strings?  Well, you need to tell your mail 
processing software to find messages with those strings in it, and 
any it finds, flag them as a likely virus, and filter them out of the 
inbox somehow.

The strings above can be used in a variety of situations: on an SMTP 
server (qmail, for example), in a spamfilter (such as SpamPal), or 
indeed in a POP3 client such as Pegasus Mail.

There's a few other strings, those are the new ones required to 
filter the xmas virus.

I have details on how to do it with Pegasus here:


The SpamPal syntax is:

# +++++++++++++++++++++++++++++
# ++ generic MIME signatures ++
# +++++++++++++++++++++++++++++
# use these to filter mails based on their MIME content

=Line: 9999 {^TVqQAAMAAA*} [MIMEAV: Win32 executable variant 1]
=Line: 9999 {^TVoAAAEAAAA*} [MIMEAV: Win32 executable variant 2]
=Line: 9999 {^TVoAAAAAAAAAAAAAUEUAAE*} [MIMEAV: Win32 executable 
variant 3]

=Line: 9999 {^UEsDBAoAA*} [MIMEAV: Zipfile variant 1]
=Line: 9999 {^UEsDBBQAA*} [MIMEAV: Zipfile variant 2]

In Spampal, if you place these filters into the top of your 
DEFAULT_FILTERS.DAT file rather than in your FILTERS_VIRUS.DAT file, 
you will experience a significant performance boost.  You can even 
comment out the call to filters_virus, since these work better.

In general, the further back toward the source that filtering is 
applied, the less time/money/resources are wasted processing the 
filtered material.

Happy Hollydays :)


------- End of forwarded message -------

Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

 * Origin: lsi: revolution through evolution (192:168/0.2)

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • (Fwd) how to filter the xmas virus lsi (Dec 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]