anomy-list

• Previous message: 112819@xyz.molar.is: "RE: File exclusion question : Somecompany.com.doc"
• In reply to: Bjarni R. Einarsson: "Re: zip files from W32/Mydoom@MM"
• Next in thread: Kimmo Suominen: "Re: zip files from W32/Mydoom@MM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

It seems that it shouldn't be too hard to modify the file lists to
defang known prefix/suffix pairs for this virus.

Symantec has a pretty good outline of the virus details:
http://www.sarc.com/avcenter/venc/data/w32.novarg.a@mm.html

According to Symantec, the following attachments will be found:

---
document
readme
doc
text
file
data
test
message
body
---
With the following possible extensions:
---
.pif
.scr
.exe
.cmd
.bat
.zip
---
Optionally, with the following possible middle/first extensions (e.g. 
file.html.exe):
---
.html
.txt
.doc
---
Based on this information, a file mask should be able to be created.  
Anyone want to give it a shot?
Bjarni R. Einarsson wrote:
>On 2004-01-27, 14:19:39 (+0100), Thomas von Hassel wrote:
>  
>
>>Hi
>>
>>is it just me or does the zip files from W32/Mydoom@MM slip through 
>>anomy ?
>>    
>>
>
>Almost certainly, unless you have a virus scanner plugged in.  
>
>ZIP files are generally on the list of allowed file types, so this
>is to be expected.
>
>  
>

• Next message: Robinson, Eric: ""Filtered" Attachment Types Are Slipping Through Anyway"
• Previous message: 112819@xyz.molar.is: "RE: File exclusion question : Somecompany.com.doc"
• In reply to: Bjarni R. Einarsson: "Re: zip files from W32/Mydoom@MM"
• Next in thread: Kimmo Suominen: "Re: zip files from W32/Mydoom@MM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]