[Mimedefang] klez detection
Joseph Brennan
brennan at columbia.edu
Mon Mar 31 14:53:01 EST 2003
> if (join("",@{$entity->body}) =~ /TVqQAAMAAAAEAAAA/) {
> md_log('klez_virus', $fname, $type);
This is pretty accurate:
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW
I think that's the second line.
Yes I do know of a false positive, one case in over a year
of using this with procmail. That one was a Windows executable
said to be not Klez.
Joseph Brennan Columbia University in the City of New York
postmaster at columbia.edu Academic Technologies Group
More information about the MIMEDefang
mailing list