It seems that it shouldn't be too hard to modify the file lists to
defang known prefix/suffix pairs for this virus.
Symantec has a pretty good outline of the virus details:
According to Symantec, the following attachments will be found:
--- document readme doc text file data test message body ---
With the following possible extensions: --- .pif .scr .exe .cmd .bat .zip ---
Optionally, with the following possible middle/first extensions (e.g. file.html.exe): --- .html .txt .doc ---
Based on this information, a file mask should be able to be created. Anyone want to give it a shot?
Bjarni R. Einarsson wrote:
>On 2004-01-27, 14:19:39 (+0100), Thomas von Hassel wrote: > > >>Hi >> >>is it just me or does the zip files from W32/Mydoom@MM slip through >>anomy ? >> >> > >Almost certainly, unless you have a virus scanner plugged in. > >ZIP files are generally on the list of allowed file types, so this >is to be expected. > > >