[Esd-l] URG: Updated novarg local rule for sanitizer
John D. Hardin
jhardin at impsec.org
Tue Jan 27 06:08:05 PST 2004
All:
Based on what made it through overnight I have updated the rule a bit.
See the attachment or grab the recommended rules file.
Unfortunately it seems to be using some random filenames, so I will be
looking for signature strings in the base64 attachment body. Keying
off the filename won't be enough.
You may wish to consider adding "zip" to your local non-whitelisted
mangle extensions list for a week or so until this starts to die down.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
67 days until the Slovakian Presidential Election
-------------- next part --------------
#
# Trap NovArg
# Signature as of 01/27/2004
#
:0
* > 10000
* < 50000
* ^Content-Type:.*multipart/mixed;
* 9876543210^1 B ?? ^Content-Type:.*text/plain;.*charset *= *"?Windows-1252"?
* 9876543210^1 B ?? ^Content-Type:.*text/plain;.*$.*charset *= *"?Windows-1252"?
{
:0 B hfi
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
| formail -A "X-Content-Security: [$HOST] NONOTIFY" \
-A "X-Content-Security: [$HOST] DISCARD" \
-A "X-Content-Security: [$HOST] REPORT: Trapped NovArg worm - http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html"
}
More information about the esd-l
mailing list