[Esa-l] Poisoning "from" and subject line?

Dustin Ankeny dustin at heritageind.com
Thu Nov 30 11:56:14 PST 2000


I've been having some difficulty with the poisoned list, with viruses like
hybris (which does not have a standard exe/scr name, it has a list of names
randomly picked) so therefore hard to poison... but it always appears to be
sent from...

From: Hahaha <hahaha at sexyfun.net>

Or it always has a standard subject line of

Subject: Snowhite and the Seven Dwarfs - The REAL story!

Anyway getting to my point, could there also be poisoned list for the
subject line as well as the from field? (possibly others?)  I know this is
getting a little out there, but I believe that attachment names will be
getting a little more fluid or polymorphic as time goes on.  So any other
standard keys that virus/trojan writers give us, we should use against them.

Oh by the way, I have my current poisoned list here which has the hybris
names in it.
http://www.geocities.com/ankdom/poisoned.txt

Thank you for your time,
Dustin Ankeny
SysAdmin
Heritage

Hybris
http://www.symantec.com/avcenter/venc/data/w32.hybris.gen.html
http://vil.nai.com/vil/virusSummary.asp?virus_k=98873




More information about the esd-l mailing list