On Sat, 27 Mar 1999, Brett Glass wrote: >At 03:28 PM 3/27/99 -0800, John D. Hardin wrote: >>On Sat, 27 Mar 1999, Brett Glass wrote: >> >>> Excellent. Is there a default "poisoned executables" file in the >>> package? Or do admins have to construct a list themselves? >> >>They have to make it themselves if they wish to use the facility. The >>web page has a suggested list of filenames. > > Sounds good. Now, for the next twist to the story. > > It turns out that the Melissa code also infects NORMAL.DOT, so that > the computer starts producing infected documents. When one of those > documents hits a machine that hasn't been infected yet, that machine > sends out a barrage of e-mail.... Using the NEW document as the > attachment! It'll have a different name. So, we also need to filter > by subject and body. That's a job that regular procmail is well suited to. If the subject is fixed (hang on, reading bugtraq...) Per Aleph1: The subject line is "important Message From <some user name>". The body consist of the text "Here is that document you asked for... don't show anyone else;-)". That's fairly simple... :0 H * ^Subject:.*important Message From { :0 B * Here is that document you asked for * don't show anyone else * ^Content-.*: .*\.do[ct] { LOG='REJECT Possible "Melissa" Microsoft Word macro worm: ' :0 security-quarantine } } -- John Hardin KA7OHZ jhardinat_private pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- In the Lion the Mighty Lion the Zebra sleeps tonight... Dee de-ee-ee-ee-ee de de de we um umma way! ----------------------------------------------------------------------- 52 days until Star Wars episode I
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:50 PDT