[10030] in bugtraq
Re: Blocking the Melissa Trojan
daemon@ATHENA.MIT.EDU (John D. Hardin)
Mon Mar 29 15:26:18 1999
Date: Sat, 27 Mar 1999 20:12:22 -0800
Reply-To: "John D. Hardin" <jhardin@wolfenet.com>
From: "John D. Hardin" <jhardin@WOLFENET.COM>
X-To: Brett Glass <brett@lariat.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <4.2.0.32.19990327172724.00ae33e0@localhost>
On Sat, 27 Mar 1999, Brett Glass wrote:
>At 03:28 PM 3/27/99 -0800, John D. Hardin wrote:
>>On Sat, 27 Mar 1999, Brett Glass wrote:
>>
>>> Excellent. Is there a default "poisoned executables" file in the
>>> package? Or do admins have to construct a list themselves?
>>
>>They have to make it themselves if they wish to use the facility. The
>>web page has a suggested list of filenames.
>
> Sounds good. Now, for the next twist to the story.
>
> It turns out that the Melissa code also infects NORMAL.DOT, so that
> the computer starts producing infected documents. When one of those
> documents hits a machine that hasn't been infected yet, that machine
> sends out a barrage of e-mail.... Using the NEW document as the
> attachment! It'll have a different name. So, we also need to filter
> by subject and body.
That's a job that regular procmail is well suited to. If the subject
is fixed (hang on, reading bugtraq...)
Per Aleph1:
The subject line is "important Message From <some user name>". The
body consist of the text "Here is that document you asked for...
don't show anyone else;-)".
That's fairly simple...
:0 H
* ^Subject:.*important Message From
{
:0 B
* Here is that document you asked for
* don't show anyone else
* ^Content-.*: .*\.do[ct]
{
LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '
:0
security-quarantine
}
}
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
In the Lion
the Mighty Lion
the Zebra sleeps tonight...
Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
52 days until Star Wars episode I
