At 11:29 AM 1/13/01 +1100, you wrote:
>On Sat, 13 Jan 2001, NetWin Support Auckland wrote:
>
>[...]
> > >Anyone got any suggested filters for intercepting this?
> >
> > I haven't looked at this one specifically but the general technique you
> > can use is to examine a news message containing it and find a sequence
> > of characters which are unique to this, the tricky bit is if it's all
> mime
> > encoded
> > you need to find a sequence of mime bytes that correspond to part of
> > the worm which doesn't change and is specific to the worm, then put that
> > sequence into your filter.dat (and enable spam protection with
> spam_stop true)
>
>Hopefully this one's fairly easy. The messages are in alt.comp.virus;
>the subject line is systematic, see
>http://www.viruslist.com/eng/viruslist.asp?id=411&key=00001000130000100044
>for an explanation (section "Plugins").
>
>Examples I currently see in alt.comp.virus inlcude:
>
> Subject: text0IWEW_DWAnC...
> Subject: poly"[EMAIL PROTECTED]
> Subject: pdll.YPZP.YPnMj...
> Subject: avip9ENFN9ENdCh...
>
>So it appears we can say the subject starts with a fixed text (choice of
>strings that are four lower-case chars), one char, four upper-case
>chars. The above examples sugest some relationships like the 7th, 9th &
>12th char being the same (but I suppose there is such a thing as
>co-incidence ;-).
>
>The initial fixed-texts that I know about so far are: encr, text, poly, pdll
>& avip
>
>Also, the examples I checked were coming through anonmysing mail2news
>services.
In a .rul file I suggest you create a rule to block all posts to comp.alt.virus
that have a path/header suggesting an anonymous post. e.g.
something like:
if (matchone("newsgroups","alt.comp.virus")) then
if (isbinary()) then
if (isin("someheadername","anonymoustagsomewhere")) then
reject "Attachment from anon person in virus group"
end if
end if
end if
Sorry I can't give a specific header as I can't find any of those posts
just now (I checked several machines but the group was either empty
or had been removed as a result of this virus already so I couldn't quickly
'find an example header :-(
ChrisP.
> > If you can't figure this out send me an example news article containing
> the
> > worm as raw text, placed inside a zipped file and CLEARLY MARKED :-)
>
>"Don't Panic" - this isn't the worm itself but rather the plugins for it.
>
> > And I'll try and suggest something specific.
>
>that would be appreciated. Does the above help?
>
>Also, what version of DNews do I need for these features?
>
>Thanks,
>Neale.
