subject: how to filter the Novarg virus posted: Wed, 28 Jan 2004 17:34:10 -0000
I have devised a near-bulletproof Novarg filter.
The following regular expressions trap this virus dead, no matter
what subject line, message body, or filename it uses:
If expression body matches "UEsDBAoAAA*" Move [virus folder]
If expression body matches "TVqQAAMAAA*" Move
[virus folder]
This is because the worm is in fact the same program with many
disguises. However the program looks the same when encoded with
MIME. Therefore, the above are basically 'MIME sigs' which work just
like a virus signature in a regular virusscanner.
So to find it we merely filter on the MIME strings above, which are
the first 10 bytes of the MIME content section.
For users without enterprise-class content filters (such as me),
these two regexp's work like a silver bullet.
(That two different sigs are required suggests there are two versions
of the virus in circulation.)
No silver bullet for auto-notification messages, unfortunately :(
Stuart
---
* Origin: [adminz] tech, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:19
search: