Re: [IMail Forum] PRILISSA Rule?

Wed, 24 Nov 1999 17:04:19 -0800 

The only real identifier I've found so far is the text that is added in the
body of the message, This document is very important and you've got to read
this!

So I created this rule, so far so good.

B~This document is very important and you've got to read this:NUL

Anyone have any better ideas?

------------------------------------------
Rich Griebel
[EMAIL PROTECTED]
http://www.kendra.com



----- Original Message -----
From: Roger Heath <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 24, 1999 4:31 PM
Subject: [IMail Forum] PRILISSA Rule?


> > * FEATURE: MELISSA VARIANT PRILISSA ON THE LOOSE
> > Users recently discovered a Melissa virus variant named Prilissa. The
> > virus infects Word 97 documents and spreads by sending the infected
> > document as an email attachment using Microsoft Outlook to the first 50
> > addresses in each address book.
> >    The subject line reads "Message From (username)." The text in the
> > body of the message reads "This document is very Important and you've
> > GOT to read this!!!" When a user opens the infected document, the virus
> > disables virus protection security settings, conversion confirmation,
> > and recently opened file list.
> >    In addition, the virus triggers on December 25, a Christian holiday.
> > Once triggered, the virus writes a Moslem-related message on the
> > screen, modifies the user's autoexec.bat file and, upon reboot,
> > displays a second Moslem-related message.
> >    Most major antivirus software vendors have produced signature files
> > to detect and remove the virus. Be sure to update your files today.
> >    http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=179&TB=news
> >    http://www.symantec.com/press/1999/n991122b.html
>
> Has any one seen this? Does it use the actual users name or will
>
> S~Message From (username):SPAMBOX
>
> work?
>
> Wondering what is the best rule to use against this?
>
> --
> bcnu
>               www.rleeheath.com
> Roger Heath   [EMAIL PROTECTED]
>
> advanced internet services and software technology
> advanced concepts in emergency medical technology
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>

Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

Reply via email to