To all, esp those with the Novarg/MyDoom virus going through their systems.
Been in two minds to post this, or to just stay quiet... However, since we're getting 100 or so mydoom emails per day (I know, not that much, but still causes our mx IP address to be blocked by some sites), I decided to bring MIMEDefang into the loop, to filter out the mydoom emails. I followed last months thread on the zip files being of "x" bytes size, and scanning the unziipped file (via perl or just unzip command line), but managed to come up with a different solution. Thought someone might make use of it, or even improve on it. I admit, the virus scanners probably do a better job then this script, but I needed something quickly; Basically, checks the base64 strings for the signature outlined at f-secure's site: http://www.f-secure.com/v-descs/novarg.shtml Inside filter: # Mydoom/Novarg test if (lc($ext) =~ /zip/) { my $count = 0; my $lines = $entity->body(); my $found = 0; while ( ($count < scalar( @$lines )) && !$found ) { $line = @$lines[$count++]; if ($line =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) { $found = 1; } if ($line =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/) { $found = 1; } } if ($found) { md_graphdefang_log('test', "Found NoVarg Virus"); action_change_header('Subject', '[VIRUS?] ' . $Subject); action_delete_all_headers('X-Virus-Status'); action_add_header('X-Virus-Status', "Yes, name=NoVarg"); action_drop_with_warning( "Dropped $fname ($type) containing virus NoVarg." ); action_quarantine($entity, "A known virus signature was detected, and removed\n"); return; } } I admit, checks of if the zip file is too large/too small could be added, and I'm not sure if the base64 line is the very first line (making count obsolete, if it is...). Hope it helps someone. -Paul Whittney _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
