Re: [IMail Forum]B~(name=".*\.vbs"|name=".*\.shs"|name=".*\.scr"|nam

[Oblio]

If you look at a raw email (containing the virus), you'll find a multi-part message with one of the parts containing the base64 encoded attachment.  There is some information that tells the system what is attached, and what it's called.  You will see a line that literally contains name="my_doc.p\i\f" (\ inserted to clear filters).

The asterisk is part of a regular _expression_ that says "a double quote followed by zero or more of any character followed by a period-pee-eye-eff-double quote".  The first period is not escaped, and is a RE wildcard matching any character; the asterisk specifies how many should be matched.

Oblio

At 01:05 PM 8/20/2003 -0700, you wrote:

B~(name=".*\.vbs"|name=".*\.shs"|name=".*\.scr"|name=".*\.vba"|name=".*\.pif"|name=".*\.bat"|name=".*\.vbe"):NUL


I am trying to figure out how this script line was created, especially where the "name=" is coming from, and where the asterisk of wild card is coming from? (they are not included in the syntax editor  aid.)

Would someone on this forum give a brief explanation?

name=".*\.pif"


Thanks
Geza