[SAtalk] removing viruses from mass-check submissions

Thu, 13 Jun 2002 21:48:45 -0700 

I wrote a script to help me remove viruses from my test corpus.  I think
this script might be useful for anyone planning on submitting mass-check
results especially if you don't want to install a complete virus-scanner
(or figure out how to use one on already foldered email).

This script can only find the Klez and BadTrans viruses (trojans or
worms, actually), but those seem to be the most frequent.  It will also
warn you about base64 attachments that are DOS/Windows executables.

To use, just do a:

  $ find folder -type f | xargs email-virus

It assumes each message is a separate file and please check the
matches to be sure.  :-)


#!/usr/bin/perl -w
#
# dumb virus detection for cleaning out mail folders
#
# Copyright (C) 2002  Daniel Quinlan
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of either the Artistic License or the GNU General
# Public License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.

# based on:
# http://www.spconnect.com/pipermail/esd-l/2002q2/003584.html
# http://www.spconnect.com/pipermail/esd-l/2002q2/003591.html
# http://www.impsec.org/email-tools/local-rules.procmail

foreach $file (@ARGV) {
  $header = 1;

  $lines = 0;
  $exe = 0;
  $base64 = 0;
  undef @klez;
  undef @bad;

  open(FILE, $file) || die;
  while (<FILE>) {
    $lines++;
    $header = 0 if /^$/;

    # general rules
    $exe = 1 if /^TVqQAAMAAAAEAAAA/;
    $base64 = 1 if m@^Content-Transfer-Encoding: base64@i;

    # Klez signatures
    $klez[0]=1 if (m@Content-Type:.*multipart/alternative@ && $header);
    $klez[1]=1 if /AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFt/;
    $klez[2]=1 if m@<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>@i;
    $klez[3]=1 if m@^Content-Type:.*audio/@i;
    $klez[4]=1 if m@^Content-ID:.*<@i;
    # 5 to 7 below

    # BadTrans signatures
    $bad[0]=1 if (m@boundary="====_ABC1234567890DEF_===="@i && $header);
    $bad[1]=1 if m@^Content-Type:.*audio/x-wav;@i;
    $bad[2]=1 if m@^Content-ID:.*<EA4DMGBP9p>@i;
    # 3 to 5 below
  }
  close(FILE);

  # more Klez
  $klez[5]=2 if $exe;
  $klez[6]=1 if $base64;
  $klez[7]=1 if $lines > 1500;

  # more BadTrans
  $bad[3]=2 if $exe;
  $bad[4]=1 if $base64;
  $bad[5]=1 if $lines > 900;

  $klez = 0; for (@klez) { $klez += $_ if defined; }
  $bad = 0; for (@bad) { $bad += $_ if defined; }

  if ($klez > 6 || $bad > 4) {
    print "$file\n";
  }
  elsif ($exe) {
    print STDERR "warning: $file\n";
  }
}

Reply via email to