Mailing List Archive: Latest Microsoft Critical Patch (newbie)

Latest Microsoft Critical Patch (newbie)

Mar 4, 2004, 2:21 AM

Post #1 of 6 (714 views)

Hi,

I've received thousands of emails with the "Latest Microsoft Critical
Patch" (various variants). Any rules out therer catching these?

--

Thomas

Re: Latest Microsoft Critical Patch (newbie) [ In reply to ]

lwilton at earthlink

Mar 4, 2004, 3:05 AM

Post #2 of 6 (713 views)

Permalink

I don't know of one but someone else might have one.
If not we'd need a few examples to craft some tests.

Loren

> I've received thousands of emails with the "Latest Microsoft Critical
> Patch" (various variants). Any rules out therer catching these?

Re: Latest Microsoft Critical Patch (newbie) [ In reply to ]

tim at cidev

Mar 4, 2004, 3:12 AM

Post #3 of 6 (716 views)

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Op donderdag 4 maart 2004 10:21, schreef Thomas Muller:
> I've received thousands of emails with the "Latest Microsoft Critical
> Patch" (various variants). Any rules out therer catching these?

I suggest to not use SpamAssassin for catching virii. Use a virusscanner like
ClamAV. It catches those mails.

- --
Met vriendelijke groet,
Tim Stoop
Complete Internet Development
http://www.cidev.nl

Random quote/fortune:
The church saves sinners, but science seeks to stop their manufacture. --
Elbert Hubbard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFARwEHB0mSLQ49k50RAiYOAJ4lF6z9q6BJLNtClPC8YbB3sIeAsgCghx7K
r/XNiiMVH+aX1dYi2Q0Ujk8=
=5iZi
-----END PGP SIGNATURE-----

Re: Latest Microsoft Critical Patch (newbie) [ In reply to ]

wendt at kingcrab

Mar 4, 2004, 5:34 AM

Post #4 of 6 (714 views)

Permalink

Or our very own list member John Hardin's ESD sanitizer. We've been using
it here since the very beginning, and it has done a great job of taking
care of keeping viruses off our machines. You can check it out at
<http://www.impsec.org/email-tools/procmail-security.html>. Latest version
is 1.141, and it looks inside of .zip files to take care of the latest
nasties from the b*stards. Latest word this morning, the virus writers are
on a rampage, including insults to each other embedded in the code of the
Netsky, Bagle, and MyDoom... Almost kinda funny, now the virus writers are
going after each other's throats.

Mark

At 05:12 AM 3/4/2004, Tim Stoop wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Op donderdag 4 maart 2004 10:21, schreef Thomas Muller:
> > I've received thousands of emails with the "Latest Microsoft Critical
> > Patch" (various variants). Any rules out therer catching these?
>
>I suggest to not use SpamAssassin for catching virii. Use a virusscanner like
>ClamAV. It catches those mails.
>
>- --
>Met vriendelijke groet,
>Tim Stoop
>Complete Internet Development
>http://www.cidev.nl
>
>Random quote/fortune:
>The church saves sinners, but science seeks to stop their manufacture. --
>Elbert Hubbard
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (GNU/Linux)
>
>iD8DBQFARwEHB0mSLQ49k50RAiYOAJ4lF6z9q6BJLNtClPC8YbB3sIeAsgCghx7K
>r/XNiiMVH+aX1dYi2Q0Ujk8=
>=5iZi
>-----END PGP SIGNATURE-----

Re: Latest Microsoft Critical Patch (newbie) [ In reply to ]

bah at webmedic

Mar 4, 2004, 6:54 AM

Post #5 of 6 (726 views)

Permalink

On Thursday 04 March 2004 02:12 am, Tim Stoop wrote:
> Op donderdag 4 maart 2004 10:21, schreef Thomas Muller:
> > I've received thousands of emails with the "Latest Microsoft Critical
> > Patch" (various variants). Any rules out therer catching these?
>
> I suggest to not use SpamAssassin for catching virii. Use a virusscanner
> like ClamAV. It catches those mails.

yes here is a maildrop script for it . I have caught tons of these. By the way
clam is lighter on resources than spamassassin so it really is a benefit to
use it for what it was made for.

# If it isn't Spam, then we scan for Virus
# if it is smaller than 2MB in size...
# anything larger... they are on their own
if($SIZE < 2000000)
{
xfilter "scanmail.sh"
}
if ((/^X-Virus-Status:.*INFECTED/))
{
to "$VIRUS"
}
if ((/^X-Amavis-Alert:.*INFECTED/))
{
to "$VIRUS"
}

that should get you started if you need scanmail.sh let me know It's currently
under heavy work but is working perfectly now at any rate.

also here are some other rules for maildrop to make it easier to catch
atachments in general.

# dump all kind of m$ stuff (99.99% virusses)
if (/^Content-Type:.*multipart/ && \
/^Content-Type:.*(audio\/x-|application).*name=.*\.(ad[ep]|asd|ba[st]|chm|
cmd|cpl|crt|dll|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
ocx|ops|pcd|p[ir]f|reg|sc[frt]|sh[bsm]|swf|url|vb[esx]?|vxd|ws[cfh])/:b)
{
log '====> Message contained typical M$ attachement.'
to "$VIRUS"
}

--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-

Re: [spa] Latest Microsoft Critical Patch (newbie) [ In reply to ]

cgregory at hwcn

Mar 4, 2004, 8:16 AM

Post #6 of 6 (720 views)

Permalink

On Thu, 4 Mar 2004, Thomas Muller wrote:
> I've received thousands of emails with the "Latest Microsoft Critical
> Patch" (various variants). Any rules out therer catching these?

I snag them in procmail, but it would be easy enough to adapt it to SA.
Note where tests are split-up, procmail style, with escaped newline:

:0 HB
* From:.*microsoft.com
* Subject:.*(LiveUpdate Information|Use this patch immediately !|\
Windows XP Service Pack 1 $Express$ - Critical Update)
/dev/null

IN SA the above would be two separate tests and a META rule.....

# 'W32.Swen.A'
:0 HB
* ^Content-Type:.*(.*$)?.*name=\"?(patch|upgrade|update|installer|\
install|installation|pack|q)[0-9]*\.(exe|zip)
/dev/null

The above test has a chance for some false positives, but given how
prevalent 'swen' was, I thought it worth it....

- Charles