On Thursday 08/23/01 at 11:42 David Lucas [david@xxxxxxxxxxxxxxxx] wrote:
> >As it appears a number of people have now become infrected with the
> >JS_KAKWORM.A virus I just thought I would add a link to a web site with
> >help.
> >
> >http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html
> >
> >This worm does NOT require anyone to run an attachment. Just
> open an email
> >with Outlook Express. If the Outlook Express program has not
> >been patched,
> >it is then infected. It then send out the worm as part of the signature
> >file to any out going message.
On Thursday 08/23/01 at 14:37 Scott w [webbcite@xxxxxxxxxxx]then wondered
aloud:
> Anyone have a procmail recipe for this yet that they would like
> to share? I
> am a rookie procmail user and could use some pointers..
Well since this worm uses three files to deliver its payload, it's easy to
stop it.
The file extensions are:
.hta
.reg
.bat
With that in mind, in your /etc/procmailrc you could do something like the
following:
Note that there are *many* other file extensions you can also toss *AND
SHOULD* but here's a decent list of really bad stuff
to get you started. Add other extensions as required, season to taste, stir
and serve.
What this does is mangle the attachment and renames it to 1.txt and tosses
it in the directory of choice.
######################### cut below this line
#################################
SHELL=/bin/sh
VERBOSE=ON #turn this to VERBOSE=OFF only when you are satisfied that stuff
is being flushed properly
LOGFILE=/home/logs/[$LOGFILE] #define whatever you wanna call $LOGFILE
LOGABSTRACT=ALL
:0
*^Content-type: (multipart/mixed|application/octet-stream)
{
:0 HB
*^Content-Disposition: (attachment|inline);
*filename=".*\.(vbs|wsf|eml|nws|shs|exe|chm|pif|vbe|hta|scr|com|reg|bat)"
{
SHELL=/bin/bash
:0 fhbw
|/bin/sed -e \
's/\([nN][aA][mM][eE]=".*\.[vV][bB][sS]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[wW][sS][fF]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mN][eE]=".*\.[eE][mM][lL]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mN][eE]=".*\.[nN][wW][sS]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[sS][hH][sS]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[eE][xX][eE]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[cC][hH][mM]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[pP][iI][fF]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[vV][bB][eE]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[hH][tT][aA]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[sS][cC][rR]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[cC][oO][mM]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[rR][eE][gG]\)"/\1.txt"/' \
-e \
's/\([nN][aA][mM][eE]=".*\.[bB][aA][tT]\)"/\1.txt"/' \
:0
/home/tmp/bacteria
}
}
:0
* ^Content-type: (multipart/mixed|application/octet-stream)
{
:0 HB
*^Content-Disposition: attachment;
*filename=".*\.(vbs|wsf|eml|nws|shs|exe|chm|pif|vbe|hta|scr|com|reg|bat)"
{
:0 fhbw
|/bin/sed -e 's/\([nN][aA][mM][eE]=".*\....\)"/\1.txt"/'
:0:
/home/tmp/bacteria
}
}
################################## Cut above this line
##########################
HTH!!!
Groetjes,
-Colin
--
Colin J. Raven