[pmmail-list] Complex filter for virus update

Kris Sorem Sr pmmail-list@blueprintsoftwareworks.com
Tue, 31 Jul 2001 01:00:21 -0700 (PDT) 

On Sun, 29 Jul 2001 17:46:09 -0700, Dave in Phoenix AZ wrote:

>Well... after many more virus messages the script suggested by Kris didn't
>catch them all.  After reading all the help files on script writing I made
>new on which has not successfully moved and replied to about 15 newest
>virus messages without any false sends.  The script I am now using is:

The filter I suggested matches the profile of the SirCam worm as
provided by McAfee who has also provided a disinfection tool. Specific
profile:
1. _Every_ message will have the first line as "Hi! How are you?"
(without the quotes) in English or Spanish.
2. _Every_ message will have the last line as "See you later. Thanks"
(without the quotes) in English or Spanish.
3. The message could have any or none of these lines in between - "I
send you this file in order to have your advice" 
     or "I hope you can help me with this file that I send" or "I hope
you like the file that I send to you"
     or "This is the file with the information that you ask for" (again
without the quotes) in English or Spanish.
4. The subject of the message is randomly chosen from pilfered files as
is the attachment name.
5. The attachment will have a double extension. The last extension
being any of these - .BAT, .COM, .EXE, .LNK, .PIF
6. The worm's footprint is 134k. _Every_ message will exceed this size
since pilfered files are prepended.

My suggested filter first checks for the existence of an attachment.
There is no point in filtering the body of the message if there is no
attachment. I could have checked for message size and the existence of
the double extension. I tried to keep the filter as simple as possible.
My filter then checks for the existence of the known two static lines.
It is _unlikely_ that a message passed over by my suggested filter _is_
a SirCam message. I suggest you check a missed message's size and/or
the existence of an attachment with a double extension.

>
>b="in order to have your Xdvice" & a="YES"

Your updated filter does far worse than my suggested filter. It first
checks for the existence of one of the randomly generated lines which
may or may not be present. The body of every message will be checked
whether it has an attachment or not. This wastes processor and
filtering time. Only if the line is present does your filter check for
an attachment. This filter will catch far less messages that /may be/
infected with the SirCam worm.

>
>I didn't include the spanish version since they probably can't read my
>English reply anyway.  Only about 5% of the messages coming are in Spanish.
>  Since my websites that the virus gets the addresses from in the cache are
>all in English, however....maybe they would have to also read English!

Does that make the Spanish version any less harmful?

--
JMO, 
/s/~Kris
-------------------------------+------------------------------------------



- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com