Hosting Provided By

Re: procmail recipe for e-worms

From: Nikos K. Kantarakias <nikant(at)freemail.gr>
Date: Mon Jan 06 2003 - 12:55:06 EST

> filtering Yaha is pretty easy, even easier than you may realize:
>
> Content-Type:multipart/mixed;

sorry I don't trust headers only! when it comes to viruses only the file itself (when non polymorphic can help)

>
>
> that's in every one. also, how is this any better than the impsec procmail
> sanitizing ruleset?
>
>

exm.. I have to comment that..

Lets take it one by one:

Hybris detection mainly by size and malformed To, Subject headers.. xmm.. sorry not my style
SirCam traped by strings: AAAAGgU0NhbTMyABCDTUlN AAAAAaBTQ2FtMzIAEINNSU1F ABkAAAABoFNDYW0zMgAQg01J

as the author says he used string values from the exe body. STRING values.. anyone could change that even a kid with a hex editor..

3. Badtrans again by size and boundary stuff..

4. Klez & BugBear by base64: TVqQAAMAAAAEAAAA typical to a huge amount of legitimate windows executables..

(anyway I never said that mine is better :p I just wrote it, use it and felt like sharing it...)

But the future impact isn't gone yet.. Here is an interesting problem for all regexp magicians.. :
http://www.virusbtn.com/resources/viruses/indepth/junkmail.xml

signature text:
Nikos K. Kantarakias

  URLs:  
http://www.nikant.tk/
         
http://www.skiathos.tk/
         
http://agriroot.aua.gr/

Received on Tue Jan 7 12:42:59 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:38 EDT