[Esd-l] SWEN identifier: TO/FROM/SUBJECT
Agostini yves
agostini at univ-metz.fr
Wed Sep 24 06:22:12 PDT 2003
Le mer 24/09/2003 à 14:51, John D. Hardin a écrit :
> On Wed, 24 Sep 2003, Scott Taylor wrote:
>
> > On Tue, 23 Sep 2003, John Downing wrote:
> >
> > >
> > > The uppercase TO/FROM/SUBJECT headers are NOT an "if and only if" marker
> > > for the swen worm. I have quarantined email with swen attachments that have
> > > both normal and all uppercase headers.
> >
> > Same here. However, the attachment always starts with "TVqQAAMAAAAEAAAA".
>
> Standard Windows Executable first few bytes.
>
> > Although, I fail to see what difference it makes as John's Sanitizer rules
> > pick it up every time.
>
> Yeah, but it'd be nice to have a local rule so that we can selectively
> DISCARD NONOTIFY and stop being hounded by the alerts...
>
what do you think about :
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed
* ^Subject: ({Virus\?} )?((La(te)?st)|New(est)?|Current)
)?((Microsoft|Internet|Net(work)?) )?((Security|Critical)
)?(Up(grade|date)|Pa(ck|tch))
{
LOG="TRAPPED: Probable Swen worm "
SECURITY_NOTIFY=NO
}
--
-----------------------------------------------------------------
AGOSTINI Yves CRIUM - Université de Metz
agostini at univ-metz.fr http://www.crium.univ-metz.fr
tel: 03 87 31 52 63 fax: 03 87 31 53 33
More information about the esd-l
mailing list