Contributed by Dengue on from the jeez,-again? dept.
There is a new windows worm on the loose, similar to the "Love Bug". It does not appear to be spreading as rapidly, but it's payload is more damaging. It writes instructions to the Autoexec.bat file to delete critical system directories upon reboot. An unintended side-effect of this worm is the way it facilitates upgrading to OpenBSD by trashing Windows. :)
It will arrive with the subject: "FRIEND MESSAGE"
The body of the message will read:
"A real friend send this message to you"The file attachment is called "FRIEND_MESSAGE.TXT.vbs".
Sendmail administrators can add the following to their .mc file:
HSubject: $>Check_Subject D{MPat}FRIEND MESSAGE D{MMsg}Denied, you're infected with FRIENDMESS.A buddy SCheck_Subject R${MPat} $*[TAB]$#error $: 501 ${MMsg} RRe: ${MPat} $*[TAB]$#error $: 501 ${MMsg} RFW: ${MPat} $* [TAB]$#error $: 501 ${MMsg}Of course, you will need to replace [TAB] with actual tabs or sendmail will complain. And of course, this is a trivial hack, mutations which change the subject line will evade this filter, and the more filter rules you add, the more load you add to your mail server. Admins of heavily loaded servers will want to explore alternate means of denying this traffic.
If anyone has an alternate method of denying these infected messages (using Sendmail), such as attachement content scanning, I'd love to read it.
(Comments are closed)
By Boris () boris@he.net on he.net
By John Kelly () john@nospam.frontend.ie on mailto:john@nospam.frontend.ie
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html