[Mimedefang] Perhaps old now; MyDoom/Novarg [was: New .zip virus?]

[Paul Whittney]

To all, esp those with the Novarg/MyDoom virus going through their systems.

Been in two minds to post this, or to just stay quiet... However, since we're
getting 100 or so mydoom emails per day (I know, not that much, but still
causes our mx IP address to be blocked by some sites), I decided to bring
MIMEDefang into the loop, to filter out the mydoom emails.

I followed last months thread on the zip files being of "x" bytes size,
and scanning the unziipped file (via perl or just unzip command line), but
managed to come up with a different solution. Thought someone might make
use of it, or even improve on it. I admit, the virus scanners probably do
a better job then this script, but I needed something quickly;

Basically, checks the base64 strings for the signature outlined at f-secure's
site:
http://www.f-secure.com/v-descs/novarg.shtml

Inside filter:

# Mydoom/Novarg test
if (lc($ext) =~ /zip/) {
	my $count = 0;
	my $lines = $entity->body();
	my $found = 0;
	while ( ($count < scalar( @$lines )) && !$found ) {
		$line =  @$lines[$count++];
		if ($line =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) {
			$found = 1;
		}
		if ($line =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/) {
			$found = 1;
		}
	}
	if ($found) {
		md_graphdefang_log('test', "Found NoVarg Virus");
		action_change_header('Subject', '[VIRUS?] ' . $Subject);
		action_delete_all_headers('X-Virus-Status');
		action_add_header('X-Virus-Status', "Yes, name=NoVarg");
		action_drop_with_warning(
			"Dropped $fname ($type) containing virus NoVarg."
		);
		action_quarantine($entity, "A known virus signature was
			detected, and removed\n");
		return;
	}
}
	
I admit, checks of if the zip file is too large/too small could be added,
and I'm not sure if the base64 line is the very first line (making count
obsolete, if it is...).

Hope it helps someone.

-Paul Whittney