Fwd: FW: New Virus

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMJeremy C. Reed at <-
M.MVictor Odhner at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Victor Odhner
Date:  
Subject: Fwd: FW: New Virus
Jeremy C. Reed wrote:
> I am thinking about blocking all messages that contain any data with lines
> starting with:
>
> ^TVqQAAMA
> ^UEsDBAoAAA
>
> What do you think?
>
> (I understand these mime64 encoded text means it is a
> Windows executable.)

Jeremy, I think that's pretty cool.

In my Mozilla mail client under Win98, I set up a filter for
message body containing either of those strings, and ran it
on my trash folder, after having deleted your message.
Action is to move the message into a "Probable Virus" folder.

Told the filter to run on the trash folder. 

The Probable Virus folder now contains these subject lines:
   Hello   with document.exe attached   TVqQAAMA
   HELLO   with doc.exe    TVqQAAMA
   Test    with data.zip   UEsDBAoAAA
   Returned mail: see transcript for details
       three attachments, including text.zip  UEsDBAoAAA
       which contains text.text.exe
   ERROR   with body.zip   UEsDBAoAAA
   STATUS  with document.zip
   Re: Fwd: FW: New Virus  (Jeremy's posting)
   TEST    with document.zip   UEsDBAoAAA


This one's a keeper! Of course I'll watch that folder
for any good stuff, but based on this sample (I keep my
trash for about a month, and get lots of it) the test is
virtually 100% accurate.

Note that the ZIP files rely on the user to (a) hide their
file extensions or (b) click on a file named text.text.exe.
I guess that's true of all the non-EXE attachments.

Thanks again.

Vic



This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-password managerFwd: FW: New Virus->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)