LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author]

  From: Jim Bickford <jim.bickford@flinders.edu.au>
  To  : gaelyne@videocam.net.au
  Date: Tue, 30 Mar 1999 14:43:19 +0930

Re: Antivirus

gaelyne@videocam.net.au wrote:
> 
> I believe what was asked regarding the Melissa virus is if there's any
> way we, as Linux administrators can detect Emails containing either the
> virus (or some key phrase/item) in an effort to provide some
> measure of protection (or at the very least warning) for our clients.
> 
> I have a feeling that in this sense, procmail could probably detect any
> key phrases used in such an Email, but it depends on how the message
> comes in.  If it's all in base64 encoding, it wouldn't be possible.
> If the key phrases are in plain-text, it may be possible.
> 
> 
Procmail filtering might be a better way to go...
AFAIK these are the relevant strings....(underlined)
Subject: Important Message From <name>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   Where <name> is the full name of the user sending the message.

   The body of the message is a multipart MIME message containing two
   sections. The first section of the message (Content-Type: text/plain)
   contains the following text.

      Here is that document you asked for ... don't show anyone else ;-)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   The next section (Content-Type: application/msword) was initially
   reported to be a document called "list.doc". This document contains
                                    ~~~~~~~~~
   references to pornographic web sites. As this macro virus spreads we
   are likely to see documents with other names. In fact, under certain
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 conditions the virus may generate attachments with documents created
   by the victim. 

For more info...

http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html

Cheers
JimB.
-- 
---------------------------------------------------------------------
 Jim.Bickford@flinders.edu.au  Biological Sci   Flinders University
  61 8 8201 3179(v)  61 8 8201 3015(f)       South Australia 5042   
---------------------------------------------------------------------

-- 
Check out the LinuxSA web pages at http://www.linuxsa.org.au/
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject

Index: [thread] [date] [subject] [author]

Return to the LinuxSA Mailing List Information Page