Cybertime Hostmaster wrote: >The newest rage in viri, Netsky.C, hit one of the machines here. Just a >heads up on this little bugger: > >http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] > >It went past the anti-virus until there was an update made specifically >for it. > >It put 8010 copies of itself on the infected machine. > >And it mass mails like nuts. > > (snip)
>Anyone found a good body check for this one yet? > >--Eric > According to sarc- 'Name of attachment <http://securityresponse.symantec.com/avcenter/refa.html#name>: varies with .com, .exe, .pif, or .scr file extension' Are you rejecting executable attachments? I've been using this in header_checks.regexp- /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ad[ep]|ba[st]|chm|cmd|com|cpl|crt|dll|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[betw]|ms[cipt]|nws|ocx|ops|pcd|p[ir]f|reg|sc[frt]|sh[bsm]|swf|vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" not accepted with ".$3" extension and Len's checks that came in body_checks.regexp- for example: /^(content.*[[:space:]]+|[[:space:]]*)(filename|name)=".*\.(htm|html|exe|EXE|ex_|EX_|eml|dll|scr|pif|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|do|hta|reg|lnk|js|jse|net)"/ HOLD REJECT Body filter 3 Notice the hold- there are other tests in body_checks.regexp, and so far nothing has been held. The header checks seem to catch everything. Gerry.
