Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

(Fwd) how to filter the xmas virus
From: "lsi" <stuart () cyberdelix net>
Date: Fri, 17 Dec 2004 12:59:45 -0000


------- Forwarded message follows -------
From:                   lsi <stuart () cyberdelix net>
To:                     focus-virus () securityfocus com
Subject:                how to filter the xmas virus
Send reply to:          stuart () cyberdelix net
Date sent:              Fri, 17 Dec 2004 12:57:48 -0000

Hmm, the Xmascard virus uses different headers and so skipped past my 
existing filters, until I added the strings below:

UEsDBBQAA
TVoAAAAAAAAAAAAAUEUAAE

What to do with those strings?  Well, you need to tell your mail 
processing software to find messages with those strings in it, and 
any it finds, flag them as a likely virus, and filter them out of the 
inbox somehow.

The strings above can be used in a variety of situations: on an SMTP 
server (qmail, for example), in a spamfilter (such as SpamPal), or 
indeed in a POP3 client such as Pegasus Mail.

There's a few other strings, those are the new ones required to 
filter the xmas virus.

I have details on how to do it with Pegasus here:

http://www.cyberdelix.net/tech/filtering.htm

The SpamPal syntax is:

# +++++++++++++++++++++++++++++
# ++ generic MIME signatures ++
# +++++++++++++++++++++++++++++
# use these to filter mails based on their MIME content

=Line: 9999 {^TVqQAAMAAA*} [MIMEAV: Win32 executable variant 1]
=Line: 9999 {^TVoAAAEAAAA*} [MIMEAV: Win32 executable variant 2]
=Line: 9999 {^TVoAAAAAAAAAAAAAUEUAAE*} [MIMEAV: Win32 executable 
variant 3]

=Line: 9999 {^UEsDBAoAA*} [MIMEAV: Zipfile variant 1]
=Line: 9999 {^UEsDBBQAA*} [MIMEAV: Zipfile variant 2]

In Spampal, if you place these filters into the top of your 
DEFAULT_FILTERS.DAT file rather than in your FILTERS_VIRUS.DAT file, 
you will experience a significant performance boost.  You can even 
comment out the call to filters_virus, since these work better.

In general, the further back toward the source that filtering is 
applied, the less time/money/resources are wasted processing the 
filtered material.

Happy Hollydays :)

Stu


------- End of forwarded message -------

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • (Fwd) how to filter the xmas virus lsi (Dec 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]