>> On Thu, 4 May 2000 19:28:32 -0400,
>> "Searcher" <[EMAIL PROTECTED]> said:
R> Anyone can rename that .vbs to what ever they want and send it around
R> again so wouldn't it be more efficient to filter all .vbs attachments?
The only safe way to handle this is to check any attachment for a
Registry reference or an indication that Visual Basic is being run.
Few if any legitimate attachments should be referring to the Registry,
and all the mischief seems to be done via VB scripts.
Unpacking an infected attachment (different virus) and running strings
on it gave me the following:
HKEY_CURRENT_USER\Software\Microsoft\Office\
VB_Nam
VBProjectOh
VBComponents
temp\VBE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VBA\VBA332.DLL
\VBE\MSForms.EXD
--
Karl Vogel
ASC/YCOA, Wright-Patterson AFB, OH 45433, USA
[EMAIL PROTECTED] or [EMAIL PROTECTED]
- Re: hack for filtering "... Alex at MessageLabs
- Re: hack for filtering "... Kai MacTane
- Re: hack for filtering "... Johan Almqvist
- Re: hack for filtering "... Jason Haar
- Re: hack for filtering "... Rainer Link
- Re: hack for filtering "i love y... Johan Almqvist
- Re: hack for filtering "i love you&q... Bruce Guenter
- Re: hack for filtering "i love y... Kai MacTane
- Re: hack for filtering "i love you&q... Neil Schemenauer
- Re: hack for filtering "i love y... Bruno Wolff III
- Re: hack for filtering "i love you&q... vogelke
- Re: hack for filtering "i love you" worm octave klaba
- Re: hack for filtering "i love you" wor... Jesper Hess Nielsen
- Re: hack for filtering "i love you"... octave klaba
- Re: hack for filtering "i love you&q... Jesper Hess Nielsen
- Re: hack for filtering "i love y... Petr Novotny
- Re: hack for filtering "i love you"... Ricardo Cerqueira
- Re: hack for filtering "i love you"... Vrba Miroslav
- Re: hack for filtering "i love you" wor... Neil Schemenauer
- Re: hack for filtering "i love you" worm Jesper Hess Nielsen
- Re: hack for filtering "i love you" wor... Tim Gollschewsky
