At 08:41 AM 1/12/01 +1100, you wrote:
>Greetings all,
>
>AFAIK, the hybris worm (AKA Snowhite "virus") propogates by various means
>including usenet.
>
>Anyone got any suggested filters for intercepting this?
I haven't looked at this one specifically but the general technique you
can use is to examine a news message containing it and find a sequence
of characters which are unique to this, the tricky bit is if it's all mime
encoded
you need to find a sequence of mime bytes that correspond to part of
the worm which doesn't change and is specific to the worm, then put that
sequence into your filter.dat (and enable spam protection with spam_stop true)
If you can't figure this out send me an example news article containing the
worm as raw text, placed inside a zipped file and CLEARLY MARKED :-)
And I'll try and suggest something specific.
ChrisP.
