This string is in the first line of the other extensions of novarg TVqQAAMAAAAEAAAA
It hits on google for sobig , klez, etc Mike ----- Original Message ----- From: "Chris Scott" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 27, 2004 10:11 AM Subject: [IMGate] Re: new virus > > Keith Kikta - iland Internet Solutions wrote: > > > Anyone got a way to block this new one without having to block zip = > > files? > > I'm using the following body check: > > /^UEsDBAoAAAAAA/ REJECT > > This was the first line of the encoded attachement in all samples I saw. I > analyzed a few valid zip files and none started w/that string. A google for > that string brought up quite a few procmail and other recipes that block on > it as used by viruses. > > Blocked 14 on that alone in about 20 min. Standard disclaimer applies. > > -- > Chris Scott > Host Orlando, Inc > http://www.hostorlando.com/ > > > >
