[Linux-aus] Solution: working procmail rule for Mydoom/Mymail/Novarg/SCO virus

[Arjen Lentz <arjen@mysql.com>]

(mind the crosspost!)

Hi again all,

Alright, I found the problem with the procmail rule.
The incoming mail actually contains a LF+tab after the semicolon on the
content-type lines. My mail reader (evolution) rewrapped it as a single
line, and saved it as a space. So that's why my test with egrep worked.
If I fed the saved msg directly into procmail, it would also work ;-)
So that's the entire explanation.

Anyway, the two rules below do the trick. For the current virus, you
only really need the second one but since the first one is shorter, why
not leave it in...
I had to adjust and add to the zip signature a bit this morning to catch
some new variants - this is possibly the .B strain that is being
reported. We'll see whether more new stuff shows.
Right now the below has a 100% catch rate here.

It may be possible to simplify even further... for instance, normally a
.zip file wouldn't be application/octet-stream, but /x-zip-attachment.
But you never know what weird mail editors produce, so I like to have
some redudancy in the rules, to prevent false positives...


# Klez, Elkern & co viruses
# (Basically catch all executable attachments)
:0 B
* ^Content-Type: .*/.*;$?.*NAME=.*\.(exe|com|cmd|bat|pif|scr|lnk)$
/dev/null

# W32/MyDoom.A (aka Mimail.R, Novarg.A, Shimg, W32.Novarg.A@mm,
W32/Mydoom@MM)
# Possibly also .B mutation
# All but .zip would already be picked up by the previous rule
:0 B
* ^Content-Type: text/plain;$?.*charset="Windows-1252"$
* ^Content-Type:
application/octet-stream;$?.*name=".*\.(bat|cmd|exe|pif|scr|zip)"$
*
^(UEsDBAoAAAAAA......(KJx\+eAFgAAABYAA|PBsbVAlgAAAJYAA|CQHPJRl8AAEZfAA)|TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA)
/dev/null


Regards,
Arjen.
-- 
Arjen Lentz, Technical Writer, Trainer
Brisbane, QLD Australia
MySQL AB, www.mysql.com

Sydney 1 Mar 2004 (5 days): Using & Managing MySQL Training
Training,Support,Licenses,T-shirts @ https://order.mysql.com/?marl