Re: Blocking the Melissa Trojan

[jhardin () wolfenet com (John D. Hardin)]

On Sat, 27 Mar 1999, Brett Glass wrote:

> At 03:28 PM 3/27/99 -0800, John D. Hardin wrote:
> > On Sat, 27 Mar 1999, Brett Glass wrote:
> >
> > > Excellent. Is there a default "poisoned executables" file in the
> > > package? Or do admins have to construct a list themselves?
> >
> > They have to make it themselves if they wish to use the facility. The
> > web page has a suggested list of filenames.
>
> Sounds good. Now, for the next twist to the story.
>
> It turns out that the Melissa code also infects NORMAL.DOT, so that
> the computer starts producing infected documents. When one of those
> documents hits a machine that hasn't been infected yet, that machine
> sends out a barrage of e-mail.... Using the NEW document as the
> attachment! It'll have a different name.  So, we also need to filter
> by subject and body.

That's a job that regular procmail is well suited to. If the subject
is fixed (hang on, reading bugtraq...)

Per Aleph1:
 The subject line is "important Message From <some user name>". The
 body consist of the text "Here is that document you asked for...
 don't show anyone else;-)".

That's fairly simple...

:0 H
* ^Subject:.*important Message From
{
  :0 B
  * Here is that document you asked for
  * don't show anyone else
  * ^Content-.*: .*\.do[ct]
  {
    LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '

    :0
    security-quarantine
  }
}

--
 John Hardin KA7OHZ                               jhardin () wolfenet com
 pgpk -a finger://gonzo.wolfenet.com/jhardin    PGP key ID: 0x41EA94F5
 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
  In the Lion
  the Mighty Lion
  the Zebra sleeps tonight...
  Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
   52 days until Star Wars episode I