[Mimedefang] How to stop Neroma / 911 virus?
Joseph Brennan
brennan at columbia.edu
Thu Sep 4 15:26:11 EDT 2003
Here...
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100601
...they say the attachment name is Nerosys.exe with this remark
in parentheses: ("911.jpg" label is used)
I was wondering how a jpg could be executed. As usual they do not
actually show us a sample message.
I don't see any instance of Nerosys.exe (any case) in my system
logs today. We remove and log all exe files.
Joseph Brennan Columbia University in the City of New York
Academic Technologies Group brennan at columbia.edu
--On Thursday, September 4, 2003 11:54 -0700 Mike Heller <mike at dsny.com>
wrote:
> Hello, There is a new virus going around, details are here:
>
> http://sarc.com/avcenter/venc/data/w32.neroma@mm.html
>
> *Subject*: It's Near 911!
> *Message*: ice butt baby!
> *Attachment*: 911.jpg
>
> I have tried to setup a couple of filters in "filter":
>
> if ($fname =~ /911/i) {
> syslog('warning', "attachment $fname of type $ext discarded
> W32.Neroma virus."); return action_discard();
> }
>
> if ($Subject =~ /911!/i) {
> syslog('warning', "attachment $fname of type $ext discarded
> W32.Neroma virus."); return action_discard();
> }
>
> I tried some other combinations and sent some test messages through and
> they seem to make if fine. Can anyone help me out and create a filter
> for this virus?
>
> Thanks,
> Mike
>
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list