Yet Another antiVirus Recipe is a procmail that helps to filter out a lot of the most common e-mail worms.
For some of the above (plain iframe, clsid, xml, macro) e-mail is delivered normally but gets a WARNING in subject plus its old subject ($SUB).
Some of the warnings are:
Here are some key features of "YetAnotherantiVirusRecipe":
· :: base64 signatures ::
· Most of these worms are MS-Windows executables and arrive at our e-mail encoded through base64 routines. YAVR uses especially selected signatures to locate these attachments. After that it places them in a directory (/virus/) sorted by name.
· :: iframe html exploit ::
· Through IFrame tag a html encoded e-mail can download and execute a file from a remote http site without informing the user.
· :: CLSID hidden extensions exploit ::
· Attachments which end with a Class ID (CLSID) file extension do not show the actual file extension saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are actually innocent files, such as JPG or WAV files.
· :: xml codebase exploit ::
· Usage of some xml objects allow local files to be automatically executed, regardless of the security settings on the target machine.
· :: generic executable trap for bat, pif, vbs, vba, scr, lnk, com, exe ::
· The rest of MS-executable files that are not caught from base64 signatures end up in a virus-could-be file.
· :: generic macro detection for doc,dot,xls,xla files ::
· MS-Word and MS-Excel files that contain macro commands are marked with a warning.
· :: generic detection for most of nigeria scam e-mails (most of them) ::
· Nigeria scam e-mail is not a virus but a big spam problem... There are many good filters that use great algorithms for spam. This is just an add-on.
What's New in This Release:
· new switches for quarantine or not certain e-mailsbased on some ideas by Dan Smart
· YAVRQUARANTEXE if set to ON it sends unknown executables to /virus/virus-could-be as usual if set to OFF it delivers at inbox with a warning (and the X- header ;)
· YAVRQUARANTNIG same for nigeria scam
· YAVRQUARANTPRN same for porn e-mail read instuctions inside nkvir-rc
· X- marks in headers to help your own procmail scripts
· X-YAVR: MS-EXEC (any MS executable that wasn't identified by signatures)
· X-YAVR: NIGERIA (nigeria scam)
· X-YAVR: PORN (porn related)
· X-YAVR: MACRO (containing macro code)
· X-YAVR: XML-CODEBASE
· X-YAVR: IFRAME
· X-YAVR: CLSID-EXTENSION
· X-YAVR: SENDMAIL-EXPLOIT
· some more Worm.Moodown.b aka Netsky.b signatures
· another Mimail.Q