[TCLUG] New Worm based on Code Red?

Wed Sep 19 08:57:16 CDT 2001

Here's a procmail recipe for Nimda, that new SirCam/CodeRed-ish worm.. 
It's based upon the fact that the worm uses a hard-coded MIME boundary in
the mail messages it sends out.  There might be a few other really really
dumb programs that send out legitimate mail with a similar boundary, but
they should be fixed to use random boundaries..

:0 D
* ^Content-Type:
* multipart.*"====_ABC1234567890DEF_===="
/dev/null

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   It's hard to RTFM when 
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   you can't _find_ TFM.. 
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)                             
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20010919/2aa73bab/attachment.pgp