Jeremy C. Reed wrote:
> I am thinking about blocking all messages that contain any data with lines
> starting with:
>
> ^TVqQAAMA
> ^UEsDBAoAAA
>
> What do you think?
>
> (I understand these mime64 encoded text means it is a
> Windows executable.)
Jeremy, I think that's pretty cool.
In my Mozilla mail client under Win98, I set up a filter for
message body containing either of those strings, and ran it
on my trash folder, after having deleted your message.
Action is to move the message into a "Probable Virus" folder.
Told the filter to run on the trash folder.
The Probable Virus folder now contains these subject lines:
Hello with document.exe attached TVqQAAMA
HELLO with doc.exe TVqQAAMA
Test with data.zip UEsDBAoAAA
Returned mail: see transcript for details
three attachments, including text.zip UEsDBAoAAA
which contains text.text.exe
ERROR with body.zip UEsDBAoAAA
STATUS with document.zip
Re: Fwd: FW: New Virus (Jeremy's posting)
TEST with document.zip UEsDBAoAAA
This one's a keeper! Of course I'll watch that folder
for any good stuff, but based on this sample (I keep my
trash for about a month, and get lots of it) the test is
virtually 100% accurate.
Note that the ZIP files rely on the user to (a) hide their
file extensions or (b) click on a file named text.text.exe.
I guess that's true of all the non-EXE attachments.
Thanks again.
Vic
(text/plain)