On Sat, 13 Jan 2001, NetWin Support Auckland wrote:
[...]
> >Anyone got any suggested filters for intercepting this?
>
> I haven't looked at this one specifically but the general technique you
> can use is to examine a news message containing it and find a sequence
> of characters which are unique to this, the tricky bit is if it's all mime
> encoded
> you need to find a sequence of mime bytes that correspond to part of
> the worm which doesn't change and is specific to the worm, then put that
> sequence into your filter.dat (and enable spam protection with spam_stop true)
Hopefully this one's fairly easy. The messages are in alt.comp.virus;
the subject line is systematic, see
http://www.viruslist.com/eng/viruslist.asp?id=411&key=00001000130000100044
for an explanation (section "Plugins").
Examples I currently see in alt.comp.virus inlcude:
Subject: text0IWEW_DWAnC...
Subject: poly"[EMAIL PROTECTED]
Subject: pdll.YPZP.YPnMj...
Subject: avip9ENFN9ENdCh...
So it appears we can say the subject starts with a fixed text (choice of
strings that are four lower-case chars), one char, four upper-case
chars. The above examples sugest some relationships like the 7th, 9th &
12th char being the same (but I suppose there is such a thing as
co-incidence ;-).
The initial fixed-texts that I know about so far are: encr, text, poly, pdll
& avip
Also, the examples I checked were coming through anonmysing mail2news
services.
> If you can't figure this out send me an example news article containing the
> worm as raw text, placed inside a zipped file and CLEARLY MARKED :-)
"Don't Panic" - this isn't the worm itself but rather the plugins for it.
> And I'll try and suggest something specific.
that would be appreciated. Does the above help?
Also, what version of DNews do I need for these features?
Thanks,
Neale.
