Roger,
Just so you'll know. No filtering going on at cr.yp.to...
I got this one the first go round...
./bill
-Original Message-
From: Roger Merchberger [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 12, 2001 10:10 AM
To: [EMAIL PROTECTED]
Subject: W32.Hybris double-bounce clobber perl script...
(I tried sending this once before - methinks there's some filtering going
on at cr.yp.to, so I'll change a few things try again...)
Hello all...
I finally got deeply disturbed about all the double-bounces coming into my
email box (sometimes 2500 after a weekend... :-( ) from the Hybris virus
([EMAIL PROTECTED]) and I figured I needed to create a personal filter
for my mailbox to filter these thingies out... So I did.
The proggie is simple (and included here) but most everything's hardcoded
into the program, so you'll need to modify it to suit yourself ( salt to
taste... ;-)
It's a *very* short Perl script, named (on my machine) killhahaha.pl, and
here's what my .qmail file reads:
|/home/zmerch/killhahaha.pl
./Maildir/
and here's the script:
#!/usr/local/bin/perl
### Let's get the info first, to see if it's actually something
### we need to control...
@zline = STDIN;
$limpy = grep (/TVqQAAME/, @zline);
exit (0) if ($limpy == 0);
# Now, we know that we have a virus... send it to a separate file
# have the proggie die quietly while disregarding further delivery
# instructions in the .qmail file...
open (Q,/home/zmerch/hahainfo.txt);
# go thru each environment variable and write them to my logfile...
foreach $quack ( keys(%ENV) ) {
print Q ENV - $quack = $ENV{$quack}\n;
}
print Q \n\n;
foreach $liner (@zline) {
# re-search for the beginning of the virus, because we don't
# need to save the entire virus payload to our data file...
$limpy = grep (/TVqQAAME/, $liner);
last if ($limpy != 0);
print Q OMail: $liner;
}
print Q \n=-=-=-=-=-=-=-=-=-=-=\n\n;
# Now exit the proggie exit w/a #99 exit code to make
# qmail disregard any further lines in the .qmail file
close (Q);
exit (99);
Anyway, I hope this helps someone out there...
Thanks,
Roger Merch Merchberger
--
Roger Merch Merchberger --- sysadmin, Iceberg Computers
Recycling is good, right??? Ok, so I'll recycle an old .sig.
If at first you don't succeed, nuclear warhead
disarmament should *not* be your first career choice.
