We saw the rambing up of a new mass mailing worm yesterday afternoon.
It got through our virus scanner because there was no signature for it yet. MIMEDefang defanged it, but still a few systems on campus were infected. Late afternoon I crawled through the maillogs to find the most common attachment names that this seemed to be getting sent as, and came up with a filename regex of:
((doc(\w)*|body|readme|gmf|text|file|message).(scr|zip|pif|exe))
I also sent a copy of the virus to Central Command’s virus submission address. An hour later they had an updated signature file for the virus, which I grabbed.
We’ve gotten 5755 copies dropped by MIMEDefang since midnight.
Posted by Rowan Littell at January 27, 2004 11:49 AM