OpenBSD Journal


Contributed by Dengue on from the jeez,-again? dept.

Here we go again...

There is a new windows worm on the loose, similar to the "Love Bug". It does not appear to be spreading as rapidly, but it's payload is more damaging. It writes instructions to the Autoexec.bat file to delete critical system directories upon reboot. An unintended side-effect of this worm is the way it facilitates upgrading to OpenBSD by trashing Windows. :)

It will arrive with the subject: "FRIEND MESSAGE"
The body of the message will read:

"A real friend send this message to you"
The file attachment is called "FRIEND_MESSAGE.TXT.vbs".

Sendmail administrators can add the following to their .mc file:

HSubject:       $>Check_Subject
D{MMsg}Denied, you're infected with FRIENDMESS.A buddy

R${MPat} $*[TAB]$#error $: 501 ${MMsg}
RRe: ${MPat} $*[TAB]$#error $: 501 ${MMsg}
RFW: ${MPat} $*	[TAB]$#error $: 501 ${MMsg}
Of course, you will need to replace [TAB] with actual tabs or sendmail will complain. And of course, this is a trivial hack, mutations which change the subject line will evade this filter, and the more filter rules you add, the more load you add to your mail server. Admins of heavily loaded servers will want to explore alternate means of denying this traffic.

If anyone has an alternate method of denying these infected messages (using Sendmail), such as attachement content scanning, I'd love to read it.

(Comments are closed)

  1. By Boris () on

    Yep, blowfishes eat worms raw.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]