Re: Busy day for worms! Filtering

From: Rod Smith (rodsmith_at_rodsbooks.com)
Date: 01/27/04

Next message: Gregor Ries: "security problem with fat32 on suse 9.0"
Previous message: Robert Harris: "Re: Parsing ZIP headers"
In reply to: Jem Berkes: "Busy day for worms! Filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 27 Jan 2004 11:47:46 -0500

Jem Berkes wrote:

> Seems a bunch of stuff appeared today, 2004-01-26
> Mimail.Q
> MiMail.R
> Mydoom
> Novarg
> Shimg
>
> (Some of these probably refer to the same thing).

All of those names (except possibly Shimg, which I've not seen before) do
refer to the same worm. It's designed to launch a DDoS attack against
SCO. By some estimates, this one looks to be potentially as bad as SoBig.

> Anyway, for the
> benefit of those who want to filter them using procmail or whatever,
> here are arbitrary strings from the bodies of the encoded parts.

Useful stuff, I'm sure. FWIW, I'm trying to filter as much as I can before
downloading it from my POP server. For that, header filters are the only
workable solution (I'm using a program called mailfilter to do the job --
http://mailfilter.sourceforge.net). Unfortunately, there's not much to
distinguish this worm from others in the headers, so I'm using some rules
that filter on subjects I've seen it use. Some of these are likely to get
false positives, so I'll probably remove them from the list once the worm
has run its course:

DENY=^Subject: Mail Delivery System$
DENY=^Subject: Test$
DENY=^Subject: Hi$
DENY=^Subject: Hello$
DENY=^Subject: Status$
DENY=^Subject: Server Report$
DENY=^Subject: Error$
DENY=^Subject: $

This worm's also generating a lot of bounces from sites that **STUPIDLY**
send bounce messages for worms to the claimed source, even when those
sources are clearly bogus. Those are harder to filter, and a few even
include the worm itself. *sigh*

-- 
Rod Smith, rodsmith@rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, FreeBSD, and networking

Next message: Gregor Ries: "security problem with fat32 on suse 9.0"
Previous message: Robert Harris: "Re: Parsing ZIP headers"
In reply to: Jem Berkes: "Busy day for worms! Filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Text for numbers in option group AND filter based on previous
... When you want to refer to the number, ... because eventually the user could search by multiples....(ex filter the ... second list box based on the row source. ... Insufficient rather than 1 and 2 as choices? ...
(microsoft.public.access.formscoding)
Re: Having trouble with fix for worm, need help fast
... > though I couldn't access the internet after the filter so ... >>attack on Microsoft Windows update web site. ... >>the worm from an infected computer. ...
(microsoft.public.win2000.security)
Re: w32.swen.A@mm keeps trying to get in
... Use the MMM3 mail filter. ... The 'swen' worm and its effects, ... e-mail for virus infection. ... other active newsgroups .) ...
(microsoft.public.security.virus)
Re: Sample avi video file in Directshow SDK
... I refer to the encoding profile combo box in the property page of the ... filter in graphedit. ... You can only change the profile when the filter is unconnected. ...
(microsoft.public.win32.programmer.directx.video)
Re: Database
... Another solution would be to add additional columns that refer to the date ... It would be an absolute text string an filter will work just fine. ... choosing custom and then ... >> each individual where each contract expires in a given month. ...
(microsoft.public.excel.worksheet.functions)