[Mimedefang] klez detection

Michael Sims michaels at mail3.crye-leike.com
Mon Mar 31 14:56:01 EST 2003 

I saw this method in the archives, and it is definitely not reliable.  There
are many legitimate attachments that will have that same sequence of
characters that are not infected.

My current filter is pretty ugly, but it seems effective.  This is what I do
inside the filter() sub:

1. Check to see if the message contains an attachment of *.pif or *.scr.  If
so, log it and discard it.  I can't think of a legitimate reason to send
those types of attachments in email, and they are VERY prevalent in virus
infected emails.  By discarding those right off the bat I save my filter
from having to do a lot of pointless work.  I can't forsee a situation where
one of my end users calls me and says "help, I can't send this great *.pif
file to my friend Bob in Accounting..."

2. If the message contains an attachment of type *.exe, *.bat, or *.com, I
then scan the Subject line against a list of known Klez-variant subject
lines.  If the subject matches one of the patterns, I log it and discard it.
This is really ugly, I know, but it seems to be effective.  I'm sure the
subject scan is an expensive operation, but it only occurs if the message
contains one of the aforementioned attachment types, and not on all
messages.

I'm certain there is a better approach, but if you're interested in my
filter I can send it to you off-list...

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

-----Original Message-----
From: mimedefang-admin at lists.roaringpenguin.com
[mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of -ray
Sent: Monday, March 31, 2003 12:52 PM
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] klez detection



Hello all,
I am using the following snippet in filter to detect and discard klez
virii:

         if (join("",@{$entity->body}) =~ /TVqQAAMAAAAEAAAA/) {
            md_log('klez_virus', $fname, $type);
            action_quarantine_entire_message('Caught a Klez virus');
            return action_discard();
            }

this is until we decide on a real virus scanner.  However i believe a few
attachments may have come through that contained the string
TVqQAAMAAAAEAAAA but were not actually klez infected.  Has anyone seen
this before or use this technique to detect klez?  Is there a better way
to detect klez attachments?  thanks for any info...

-ray
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean  				       	 http://www.r-a-y.org
Systems Engineer                    Southeastern Louisiana University
IBM Certified Specialist  	      AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list