Procmail Recipe for MyDdoom/MinMail.R/NovArg.a

[H?lio Silva]

This is a procmail Recipe to Stop MyDOOM

:0BH
*-4^0
* 1^0 > 31000
* 1^0 < 32800
* 1^0 ^Content-Transfer-Encoding: 7bit
* 1^0 .*charset=.?Windows-1252.?
* 1^0 M_ASSUNTO ?? (^$|test|hi|hello|Mail Delivery System|\
Mail Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document\
|file|body)\.(cmd|exe|pif|bat|scr|zip).?
{
PATSCORE=$=
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}

Hélio S. Silva
www.helio.com.br
Iggy Tecnologia e Informação S/C Ltda.
Uso Linux : http://info.abril.com.br/aberto/linux/
Sao Paulo,SP - BRASIL helio at helio.com.br

 

[Jem Berkes]

This is a procmail Recipe to Stop MyDOOM

:0BH
*-4^0
* 1^0 > 31000
* 1^0 < 32800
* 1^0 ^Content-Transfer-Encoding: 7bit
* 1^0 .*charset=.?Windows-1252.?
* 1^0 M_ASSUNTO ?? (^$|test|hi|hello|Mail Delivery System|\
Mail Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document\
|file|body)\.(cmd|exe|pif|bat|scr|zip).?

Careful about false-positives with that one... I don't know what character
set Windows 1252 is but it seems to me that a harmless attachment could be
easily caught due to the range of attachment filename substrings found.

I still recommend either a virus scanner or filtering based on specific
substrings known to exist in the encoded body of the worm. More tedious but
nearly impossible to get a false positive.

 

[David Canzi]

This is a procmail Recipe to Stop MyDOOM

:0BH
*-4^0
* 1^0 > 31000
* 1^0 < 32800
* 1^0 ^Content-Transfer-Encoding: 7bit
* 1^0 .*charset=.?Windows-1252.?
* 1^0 M_ASSUNTO ?? (^$|test|hi|hello|Mail Delivery System|\
Mail Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document\
|file|body)\.(cmd|exe|pif|bat|scr|zip).?
{
PATSCORE=$=
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}

Probably better to pick a line of the base64 and check for it:

:0 B
* ptjUzMjAmqZpurgnsKyooJhpmqZplIyIhHykaZqmdGxkXFRpmqYbTANEQDgwpmmapiggGBAImqZz
/dev/null

(The pattern above comes from a new virus I received, probably but not
certainly mydoom.)

 

[Giblet - USA Resident]

Probably better to pick a line of the base64 and check for it:

ptjUzMjAmqZpurgnsKyooJhpmqZplIyIhHykaZqmdGxkXFRpmqYbTANEQDgwpmmapiggGBAImqZz
/dev/null

(The pattern above comes from a new virus I received, probably but not
certainly mydoom.)

IIRC, MyDoom is polymorphic. The fingerprints/checksums change with each
iteration.

 

[anc]

This is a procmail Recipe to Stop MyDOOM

:0BH
*-4^0
* 1^0 > 31000
* 1^0 < 32800
* 1^0 ^Content-Transfer-Encoding: 7bit
* 1^0 .*charset=.?Windows-1252.?
* 1^0 M_ASSUNTO ?? (^$|test|hi|hello|Mail Delivery System|\
Mail Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document\
|file|body)\.(cmd|exe|pif|bat|scr|zip).?
{
PATSCORE=$=
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}

Hélio S. Silva
www.helio.com.br
Iggy Tecnologia e Informação S/C Ltda.
Uso Linux : http://info.abril.com.br/aberto/linux/
Sao Paulo,SP - BRASIL helio at helio.com.br

Correct me if I/m wrong, but don't you need to download the message first
for procmail to work ?
The solution I'm using is to delete any email with the name test or status
at the mail server without downloading. Even though I have a 512k broadband
connection I am not bothering downloading messages that are called test.
Im using popsneaker to filter mail but there is also mailfilter.
http://www.ixtools.de/ Mailfilter page on sourceforge

 

[anc]

Correct me if I/m wrong, but don't you need to download the message first
for procmail to work ?
The solution I'm using is to delete any email with the name test or status
at the mail server without downloading. Even though I have a 512k
broadband connection I am not bothering downloading messages that are
called test. Im using popsneaker to filter mail but there is also
mailfilter.
http://www.ixtools.de/ Mailfilter page on sourceforge

Even easier solution, if you use KDE 3.1 there is the kshowmail utility.
If you view message headers without downloading, and from version 3.06 you
can use a simple subject filter for test or status. Anyone with a slow
dialup connection must surely welcome this with open arms.

 

[Jim Seymour]

Probably better to pick a line of the base64 and check for it:

:0 B
* ptjUzMjAmqZpurgnsKyooJhpmqZplIyIhHykaZqmdGxkXFRpmqYbTANEQDgwpmmapiggGBAImqZz
/dev/null

[snip]

The thing's polymorphic, so its signature will change. It also
changes filenames on-the-fly.

So now .zip has been added to the list of 100+ 'doze file extensions
that are not allowed inside. *shrug*

 

[axlq in California]

This is a procmail Recipe to Stop MyDOOM

Nice, but I have a question: What's that M_ASSUNTO environment
variable? I can't find any documentation on it. Yet, when I tested
this recipe, it caught a virus just fine.

 

[H?lio Silva]

This is a procmail Recipe to Stop MyDOOM

:0BH
*-4^0

[deleted...]

Careful about false-positives with that one... I don't know what character
set Windows 1252 is but it seems to me that a harmless attachment could be
easily caught due to the range of attachment filename substrings found.

I still recommend either a virus scanner or filtering based on specific
substrings known to exist in the encoded body of the worm. More tedious but
nearly impossible to get a false positive.

OK Here It is

# code to extract subject from timo's procmail recipes tutorial
M_SUBJECT=`formail -xSubject: | expand | sed -e 's/^[ ]*//g' -e 's/[
]*$//g'`

# code to test body and Headers against Mydoom/MinMail.R/NovArg.a
:0BH
*-4^0
* 1^0 > 31000
* 1^0 < 35000
* 1^0 ^Content-Transfer-Encoding: 7bit
# there is a tab character betwwen de bracktes [] bellow
* 1^0 ^[ ]charset=.?Windows-1252.?
* 1^0 M_SUBJECT ?? (^$|test|hi|hello|Mail Delivery System|Mail
Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document|file|body|jvlqhn)\.(cmd|exe|pif|bat|scr|zip).?
* 10^0 .*kPll1Ea7M64srTG4Qs9f8o
* 10^0 .*WXURrszriytMbhCz1/yiCG9XP6jS/b/
* 10^0 .*CmfHKpD5ZdRGuzOuLK0xuE
{
PATSCORE=$=
:0
* $ ? /usr/bin/test $PATSCORE -gt 10
{ # 100% SHURE, it is the worm
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}
:0E
* $ ? /usr/bin/test $PATSCORE -lt 10
{ # it's probably the worm
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}
}

Hélio S. Silva
www.helio.com.br
Iggy Tecnologia e Informação S/C Ltda.
Uso Linux : http://info.abril.com.br/aberto/linux/
Sao Paulo,SP - BRASIL NOSPAM helio at helio.com.br

 

[Anony Mouse]

Several signatures appear in:
<http://www.math.org.il/newworm-digest1.txt>

 

[axlq in California]

OK Here It is

Very nice. Thanks. One question:

# code to extract subject from timo's procmail recipes tutorial
M_SUBJECT=`formail -xSubject: | expand | sed -e 's/^[ ]*//g' -e 's/[
]*$//g'`

I assume that between '[' and ']' are a tab and a space?

-A

 

[axlq in California]

[snip]

I found a small bug in your procmail recipe. Here's how to fix it.

{
PATSCORE=$=
:0
* $ ? /usr/bin/test $PATSCORE -gt 10
{ # 100% SHURE, it is the worm
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}
:0E
* $ ? /usr/bin/test $PATSCORE -lt 10
{ # it's probably the worm
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}
}

The first condition above should be $PATSCORE -ge 10
or $PATSCORE -gt 9, and not $PATSCORE -gt 10.

The second condition above should be $PATSCORE -gt 0
and not $PATSCORE -lt 10. If the first condition (score>10)
fails, then the second condition should still test if the score is
positive. The way you have it above, it drops all mail with a score
of 0, which results in some false positives. At least it was doing
that for me.

-A

 

[H?lio Silva]

Nice, but I have a question: What's that M_ASSUNTO environment
variable? I can't find any documentation on it. Yet, when I tested
this recipe, it caught a virus just fine.

if fact the variable is M_SUBJECT

M_SUBJECT=`formail -xSubject: | expand | sed -e 's/^[ ]*//g' -e 's/[
]*$//g'`
#see More http://www.uwasa.fi/~ts/info/proctips.html
:0BH
*-4^0
* 1^0 > 31000
* 1^0 < 35000
* 1^0 ^Content-Transfer-Encoding: 7bit
# PUT A TAB CHARACTER BETWEEN [] BRACKTS BELLOW
* 1^0 ^[ ]charset=.?Windows-1252.?
* 1^0 M_SUBJECT ?? (^$|test|hi|hello|Mail Delivery System|Mail
Transaction Failed|Server Report|Error|Status( Error)?)
* 1^0 .*filename=.?(data|readme|doc|test|text|message|document|file|body|jvlqhn)\.(cmd|exe|pif|bat|scr|zip).?
* 10^0 .*kPll1Ea7M64srTG4Qs9f8o
* 20^0 .*WXURrszriytMbhCz1/yiCG9XP6jS/b/
* 50^0 .*CmfHKpD5ZdRGuzOuLK0xuE
{
PATSCORE=$=
:0
* $ ? /usr/bin/test $PATSCORE -lt 60
{ LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0
/dev/null
}
}

 

[H?lio Silva]

OK Here It is

Very nice. Thanks. One question:

# code to extract subject from timo's procmail recipes tutorial
M_SUBJECT=`formail -xSubject: | expand | sed -e 's/^[ ]*//g' -e 's/[
]*$//g'`

I assume that between '[' and ']' are a tab and a space?

-A

yes, see complete explanation about this piece of code in
www.uwasa.fi/~ts/info/proctips.html

HELIO

 

[H?lio Silva]

[snip]

I found a small bug in your procmail recipe. Here's how to fix it.

{
PATSCORE=$=
:0
* $ ? /usr/bin/test $PATSCORE -gt 10
{ # 100% SHURE, it is the worm
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0 /dev/null
}
:0E
* $ ? /usr/bin/test $PATSCORE -lt 10
{ # it's probably the worm
LOG = `echo -e "Mydoom/MinMail/NovArg.a (${PATSCORE})" `
:0 /dev/null
}
}

The first condition above should be $PATSCORE -ge 10
or $PATSCORE -gt 9, and not $PATSCORE -gt 10.

The second condition above should be $PATSCORE -gt 0
and not $PATSCORE -lt 10. If the first condition (score>10)
fails, then the second condition should still test if the score is
positive. The way you have it above, it drops all mail with a score
of 0, which results in some false positives. At least it was doing
that for me.

-A

Very strange, procmail should accept the code beteween { and } only
if $PATSCORE > 0. You don't have to test values < 1.
I'm using procmail 3.15

HELIO

 

[David Canzi]

[snip]

Probably better to pick a line of the base64 and check for it:

:0 B
* ptjUzMjAmqZpurgnsKyooJhpmqZplIyIhHykaZqmdGxkXFRpmqYbTANEQDgwpmmapiggGBAImqZz
/dev/null

[snip]

The thing's polymorphic, so its signature will change. It also
changes filenames on-the-fly.

Didn't realize that... pfui.

 

[axlq in California]

(e-mail address removed) (axlq in California) wrote in message

I found a small bug in your procmail recipe. Here's how to fix it.

[snip]

Very strange, procmail should accept the code beteween { and } only
if $PATSCORE > 0. You don't have to test values < 1.

Turned out to be my mistake. I had a linefeed (due to wordwrapping
in your message) where there shouldn't have been one. This caused
a syntax error, resulting in the recipe failing to set the score
variable and dropping the message anyway. It's fixed now.

I'm pretty good with procmail, but I bow to your
expertise. Do you have any way to use the text files at
http://www.blackholes.us with procmail? Say I wanted to use
procmail to block all IP addresses from Taiwan. I'd download
http://www.blackholes.us/zones/country/taiwan.txt to my server
but then I need some way to test if an IP address in a header
corresponds to, say, 202.5.8.0/21.

-A

 

[Ian.H]

I'm pretty good with procmail, but I bow to your expertise. Do you have
any way to use the text files at http://www.blackholes.us with procmail?
Say I wanted to use procmail to block all IP addresses from Taiwan. I'd
download http://www.blackholes.us/zones/country/taiwan.txt to my server
but then I need some way to test if an IP address in a header
corresponds to, say, 202.5.8.0/21.

axlq..

Thought about hooking up a small Perl script to do that?

I've just finished a Perl script to use F-Prot to scan incoming mails from
procmail which strips the original body and attachment and replaces it
with a message of the infection that F-Prot detected (if applicable)
and adds the original headers to the new body for info that uses the
Mail::Audit module. I don't know what your Perl skills are like.. but it
should be pretty trivial to write a small script to do RBL checking from
procmail =)



Regards,

Ian