Detection in F-Secure Anti-Virus was published on January 26th, 2004 at = 23:09 UTC in update:=20
[FSAV_Database_Version]=20 Version=3D2004-01-27_01=20 As download speeds for regular updates might be slow, you can download = detection for Mydoom directly from here:=20 ftp://ftp.f-secure.com/anti-virus/updates/fsupdate.exe=20 Blocking the worm on the mail server=20 Considering the large volume of the infected emails sent by Mydoom.A = mail server administrators might want to block the worm from entering = their mail servers as early as possible.=20 The ZIP versions of the worm can be detected by matching the first line = of the MIME encoded attachment against one of the following regular = expressions=20 '^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA' '^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA' Please note that the '+' sign might or might not need the \ escaping = depending on the regular expression implementation.=20 If either of the expressions match the email contains the ZIP compressed = version of the worm and can be rejected.=20 The EXE version can be detected with the presence of the following four = consecutive lines in the MIME body:=20 = 'QWRuwhLeZHJyFsetbllrtEilOBwrJ8OYMXsTGWAEvKwwhG6qzQlpQXePs2GNRklxNWtlZBN2= agul' = 'YxILFUnSmWGSblIi5FUzNsGwsPXUQpMmSx2FFJx5orXascf4NmeMS2V5DE9wTd069+gLRSQO= OlaN' = 'dWVhBwCGDyQRCTN3KaZ1bTAMr63ZbLM/ZMIIAW2j7rQ1zHNlomp3QxDz2N8MAwdpc2RpZ2kZ= dXBw' = 'c83NthF4EglmWwg4zVb4c3BhS0/NLFjA/nubVS9CdWZmQQ8LZ9qOPExvd3d2OXK2I1GYbdh3= CkfY' Keith J. Kikta [EMAIL PROTECTED] voice: 1.800.697.7088 fax: 713.868.2268 http://www.iland.com/ - iland Internet Solutions Corporation The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you = received this in error, please contact the sender and delete the material from = any computer.=20
