[Esa-l] Hahaha

Bjarni R. Einarsson bre at klaki.net
Tue Feb 13 07:28:27 PST 2001


On 2001-02-13, 06:52:54 (-0800), John D. Hardin wrote:
> On Mon, 12 Feb 2001, Bjarni R. Einarsson wrote:
> 
> > (I'm already seeing this happen - the procmail filter rule I
> > posted a few weeks ago is beginning to fail and I'm seeing new
> > strains of the worm in my inbox again.)
> 
> I haven't seen this yet. What are you seeing?

The hard-to-filter strain, the one which has few recognizable headers
(predictable message boundary, lack of subject line etc.) has changed
and has started sending a slightly different attachment from before.
In fact, two different strains have slipped through my filter, but
I've only seen each of them once.  (This is just my personal mailbox,
btw. - slow traffic is to be expected.)

I don't know what the difference is (I'm not really interested in
running it), but the ruleset I posted a few weeks ago no longer
catches everything since the match was too tight - I was checking the
body itself.  I'm basically just assuming they are also Hybris, since
they have the same tell-tale message boundary.

It's been on my TODO list for the past few days to create an updated
procmail ruleset to catch the new strains.  When I do I'll post a
copy here.


I just realized something funny though.  Worms like Hybris are big
and complex enough to get infected themselves by other simpler
viruses...  And since aggressively try to replicate themselves, they
can easily contribute to the spread of other pests at the same time.
Such fun. :)  I wonder if such a thing could confuse a regular virus
scanner?

-- 
Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/



More information about the esd-l mailing list