Bugtraq mailing list archives
Re: Blocking the Melissa Trojan
From: jhardin () wolfenet com (John D. Hardin)
Date: Sat, 27 Mar 1999 20:12:22 -0800
On Sat, 27 Mar 1999, Brett Glass wrote:
At 03:28 PM 3/27/99 -0800, John D. Hardin wrote:On Sat, 27 Mar 1999, Brett Glass wrote:Excellent. Is there a default "poisoned executables" file in the package? Or do admins have to construct a list themselves?They have to make it themselves if they wish to use the facility. The web page has a suggested list of filenames.Sounds good. Now, for the next twist to the story. It turns out that the Melissa code also infects NORMAL.DOT, so that the computer starts producing infected documents. When one of those documents hits a machine that hasn't been infected yet, that machine sends out a barrage of e-mail.... Using the NEW document as the attachment! It'll have a different name. So, we also need to filter by subject and body.
That's a job that regular procmail is well suited to. If the subject is fixed (hang on, reading bugtraq...) Per Aleph1: The subject line is "important Message From <some user name>". The body consist of the text "Here is that document you asked for... don't show anyone else;-)". That's fairly simple... :0 H * ^Subject:.*important Message From { :0 B * Here is that document you asked for * don't show anyone else * ^Content-.*: .*\.do[ct] { LOG='REJECT Possible "Melissa" Microsoft Word macro worm: ' :0 security-quarantine } } -- John Hardin KA7OHZ jhardin () wolfenet com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- In the Lion the Mighty Lion the Zebra sleeps tonight... Dee de-ee-ee-ee-ee de de de we um umma way! ----------------------------------------------------------------------- 52 days until Star Wars episode I
Current thread:
- Re: Blocking the Melissa Trojan John D. Hardin (Mar 27)