Re: Procmail recipe for new Vote virus

[Chuck Mead <csm MoonGroup com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 1 Oct 2001, Rodolfo J. Paiz posted the following:
RJP>At 10/1/2001 03:51 PM -0400, you wrote:
RJP>>KM>> ># Block the Nimba (W32 Nimda A mm) worm.
RJP>>KM>> >:0 B
RJP>>KM>> >*
RJP>>KM>> >^Content-Type:.*(audio\/x-wav|attachment|inline|multipart\/related|al 
RJP>>ternative);
RJP>>KM>> >*name="(README|readme).(exe|exe)"
RJP>>KM>> >$ABYSS
RJP>>KM>>
RJP>>KM>> where previously defined ABYSS=/dev/null. Note that this should be five
RJP>>KM>> lines only; the third line may wrap in email but should be corrected.
RJP>>KM>>
RJP>>KM>> The question? Can I simply change (README|readme) to (WTC|wtc) to 
RJP>>stop the
RJP>>KM>> Vote virus? Should I also change the Content-Type? If so, to what?
RJP>>
RJP>>Keeripes... all this name dropping and familiarity... it... it's so
RJP>>touching... sniff... :-)
RJP>
RJP>Err... Chuck, since you're around, about the original question there... 
RJP>will changing the filename alone stop the Vote virus, or must I change 
RJP>Content-Type as well? If so, to what?
RJP>
RJP>Anyone...?
RJP>Anyone...?
RJP>Bueller...?

This is untested:

*name=".*(exe|exe)"

Kill 'em all... let $deity sort 'em out!

- -- 
csm
Free Dmitry!
Boycott Adobe!
Repeal the DMCA!
Stop the SSSCA!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAju5AxEACgkQv6Gjsf2pQ0oCvwCeK1HFvIosUFCR77JLqJTpoFLc
82oAn2icnqRWBYy2v9Z4bbcop6os+DY3
=o+0N
-----END PGP SIGNATURE-----