> it, but I was wondering what test could check for
> UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA== in a mime part
Ah. Tricky. That has the disadvantage of being a non-text mime part, so SA
tends to throw them in the trash. Nothing will find it on 2.6x, other than
perhaps a modification of the MICROSOFT_EXECUTABLE eval.
I'm not positive on 3.0, but *possibly* a full-body rule would catch it,
thusly:
full LW_SMALL_ZIP /^UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA==$/
score LW_SMALL_ZIP whatever
describe LW_SMALL_ZIP Small zip file, probably deleted virus
Loren
BTW, I bet that a rule like this would catch a whole lot of virui and phish:
body LW_SUSPENDED /account has been suspended/
score LW_SUSPENDED 1
describe LW_SUSPENDED Typical phish/virus phrase.
