anomy-list

Re: Re: zip files from W32/Mydoom@MM

From: Jeff Peterson (112940@xyz.molar.is)
Date: Wed 28 Jan 2004 - 06:14:43 GMT

  • Next message: Robinson, Eric: ""Filtered" Attachment Types Are Slipping Through Anyway"

    It seems that it shouldn't be too hard to modify the file lists to
    defang known prefix/suffix pairs for this virus.

    Symantec has a pretty good outline of the virus details:
    http://www.sarc.com/avcenter/venc/data/w32.novarg.a@mm.html

    According to Symantec, the following attachments will be found:

    ---
    document
    readme
    doc
    text
    file
    data
    test
    message
    body
    ---
    

    With the following possible extensions: --- .pif .scr .exe .cmd .bat .zip ---

    Optionally, with the following possible middle/first extensions (e.g. file.html.exe): --- .html .txt .doc ---

    Based on this information, a file mask should be able to be created. Anyone want to give it a shot?

    Bjarni R. Einarsson wrote:

    >On 2004-01-27, 14:19:39 (+0100), Thomas von Hassel wrote: > > >>Hi >> >>is it just me or does the zip files from W32/Mydoom@MM slip through >>anomy ? >> >> > >Almost certainly, unless you have a virus scanner plugged in. > >ZIP files are generally on the list of allowed file types, so this >is to be expected. > > >



    hosted by molar.is