Quick Anti-Concept-Virus/Nimda-sendmail-hack.
Looking at the binary of the virus is noticed that it seemed to have a
hardcoded boundary and wrote a quick sendmail rule to filter it out.
It will probably slow down your mailserver and break alot of things and I am
not even sure it works (since I haven't been able to test it on a live virus
yet). So you use it on your own risk.
Use it, improve it or ignore it.
---8<--cut here-----------
# Concept Virus(CV) V.5/Nimda-filter by Jonas Stahre (2001-09-19)
# Love to my wife and my daughter. :)
HContent-Type: $>Check_Content_Type_Header
SCheck_Content_Type_Header
R$*;$*;boundary="====_ABC1234567890DEF_====" $#error $: 553 Warning! This
message may contain the Concept Virus(CV) V.5
----8<--- and here ----------
!!!! Remember to put tabs infront of $#error !!!!
If you use it and succeed in stopping viruses, or have suggestions on how to
improve it, please mail me at yesat_private
/Jonas Stahre
#!/bin/sh -- # set i=echo;set I='u[Cu[Cu[C';set l="tr u \033";$L .-.
clear;cat $0;cat $0|sed '/D/d;s/L.*$/l/;s/.*# //;s/1/;71H/g'|csh -f;[ V ]
# while 2;$i "u[31/$I\u[21 $I "|$l;$i "u[31 $I u[21_${I}_"|$L (( ))
# end;$i "u[31 $I u[21\$I/"|$l;$i "u[21_${I}_"|$L -yesat_private- ^ ^
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 07:38:05 PDT