[vox-tech] Viruses

Rod Roark vox-tech@lists.lugod.org
Wed, 3 Mar 2004 10:23:02 -0800 

On Wednesday 03 March 2004 10:06 am, Robert G. Scofield wrote:
> On Wednesday 03 March 2004 09:43, Peter Jay Salzman wrote:
> >
> > ps- is there a new virus?  all of a sudden, starting from last night
> > i've gotten a huge ton of emails that say things like:
> >
> >    Arggghh, I hate plaintext!
> >
> >    Here is your excel file.
> >
> >    I don't bite, weah!
> >
> >    Your file is attached.
> >
> > i normally don't see viruses because i filter based on executable
> > strings in every win32 executable.  but these viruses seem to be
> > carrying .zip and .pif payloads which are getting past my filter.
>=20
> I just got a message from "lugod@livepenguin.com" with an apparent zip fi=
le=20
> attached.  Here's what it says:
>=20
> "Looking =A0forward for =A0a response :P
> =A0
> password: 17468
> AttachedFile.zip"
>=20
> Does anyone know what this is all about?

"From" headers in virus emails are almost always forged.
If you think it really came from the list, send me all the
headers from the message (do not include the payload or
your message will most likely be rejected).

I've noticed a whole bunch of unique zip files in these
messages recently.  For anyone interested, here is my
current list of Postfix body checks, which is growing daily:

/^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA/ REJECT Microsoft executable atta=
chments are not allowed here.
/^M35[GHIJK].`..`..*````/                  REJECT Microsoft executable atta=
chments are not allowed here.
/^UEsDBAoAAAAAA.....DKJx\+eAFgAAABYAA/ REJECT Attached zip file is a virus =
(1).
/^UEsDBAoAAAAAA.....CwFOBrAlgAAAJYAA/  REJECT Attached zip file is a virus =
(2).
/^UEsDBAoAAAAAA.....BdbrAiAFYAAABWAA/  REJECT Attached zip file is a virus =
(3).
/^UEsDBAoAAAAAA.....BkjKgF7YcAAO2HAA/  REJECT Attached zip file is a virus =
(4).
/^UEsDBAoAAAAAA.....D72n6\/7YcAAO2HAA/ REJECT Attached zip file is a virus =
(5).
/^UEsDBAoAAAAAA.....CqcvrHAVYAAAFWAA/  REJECT Attached zip file is a virus =
(6).
/^UEsDBAoAAAAAA.....BMC61l7YcAAO2HAA/  REJECT Attached zip file is a virus =
(7).
/^UEsDBAoAAAAAA.....BKH8ydAD4AAAA\+AA/ REJECT Attached zip file is a virus =
(8).
/^UEsDBAoAAAAAA.....BiZMYWCWMAAAljAA/  REJECT Attached zip file is a virus =
(9).
/^UEsDBAoAAQAAA.....B7DBL7KlIAAB5SAA/  REJECT Attached zip file is a virus =
(10).
/^UEsDBAoAAAAAA.....DcIq\+BCIcAAAiHAA/ REJECT Attached zip file is a virus =
(11).
/^UEsDBAoAAAAAA.....BXRG0y8ocAAPKHAA/  REJECT Attached zip file is a virus =
(12).
/^UEsDBAoAAAAAA.....CBoWs\/7YcAAO2HAA/ REJECT Attached zip file is a virus =
(13).
/^UEsDBAoAAQAAA.....BVpTuMtFAAAKhQAA/  REJECT Attached zip file is a virus =
(14).
/^UEsDBAoAAAAAA.....B78bObV0IAAFdCAA/  REJECT Attached zip file is a virus =
(15).
/^UEsDBAoAAAAAA.....AedXfJCIcAAAiHAA/  REJECT Attached zip file is a virus =
(16).
/^UEsDBAoAAQAAA.....CRGduw\/VQAAPFUAA/ REJECT Attached zip file is a virus =
(17).
/^UEsDBAoAAAAAA.....DpTnai4UYAAOFGAA/  REJECT Attached zip file is a virus =
(18).

=2D- Rod