subject: (Fwd) Re: how to filter the Novarg virus posted: Fri, 30 Jan 2004 13:28:17 -0000
Sorry folks, the MIME sig will catch all EXE's, not just Novarg :)
I have left it enabled, however (see below)
Stuart
------- Forwarded message follows -------
From: lsi <[email protected]>
To: "Alex Shipp" <[email protected]>
Subject: Re: how to filter the Novarg virus
Copies to: [email protected], [email protected]
Send reply to: [email protected]
Date sent: Fri, 30 Jan 2004 10:26:03 -0000
Right.
How about using entire lines of the MIME content section?
I had some success with these. However there's quite a degree of
variety in the strings - so far I have five different ones, and they still
don't catch every instance of the worm.
So, I think I might leave my inadvertent block on all EXE attachments in
place, at least until Novarg disables itself.
If I had the resources of a large anti-virus company, I might be able to
devise a fairly generic system, complete with MIMEBL (queried by each
compliant mailreader before processing inbound mail) that maintains a list
of malicious MIME signatures...
My final comment: a permanent block using this method would be fine, if
everyone encrypted their attachments before sending them to me, as the
inbound file would never look the same, and it's extremely improbable the
encrypted file would look identical (in MIME) to malicious code. Viruses
would only be delivered to me in this case if they were themselves
encrypted.
Stuart
On 28 Jan 2004 at 21:13, Alex Shipp wrote:
From: "Alex Shipp" <[email protected]>
To: <[email protected]>
Subject: Re: how to filter the Novarg virus
Date sent: Wed, 28 Jan 2004 21:13:28 -0000
> > I have devised a near-bulletproof Novarg filter.
>
> >If expression body matches "TVqQAAMAAA*" Move
>
> Well the bad news is that this is going to stop practically all EXEs
> anyone mails you. Still, if that's what you want to do, you probably
> want to make your filter even smaller.
>
> I didn't bother to check the other filter, but it may do a similar
> job for ZIPs.
>
> :-)
>
> Alex
>
>
> ________________________________________________________________________
> This email has been scanned for all viruses by the MessageLabs Email
> Security System. For more information on a proactive email security
> service working around the clock, around the globe, visit
> http://www.messagelabs.com > ________________________________________________________________________
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
------- End of forwarded message -------
---
* Origin: [adminz] tech, security, support (192.168.0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:19
search: