TRJ/SOEX.A

These are old archives. They are kept for historic purposes only.
Post Reply
Jay
Posts: 11
Joined: Sat Mar 06, 2004 2:10 am

TRJ/SOEX.A

Post by Jay » Tue Mar 09, 2004 12:37 pm

Code: Select all

spamfilter { 
   regex "^porn! porno! http://.+\/sexo.exe"; 
   target { private; }; 
   action gline; 
   reason "TRJ/SOEX.A Trojan Detected, http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SOEX.A"; 
   ban-time 1d; 
};
I got these spammers on my network, it's not really a harmfull bot, cause the .exe file mostly can't execute (bad programming)
Hope the regex is acceptable.

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Tue Mar 09, 2004 4:36 pm

Looks good except,

sexo.exe";

That should probably be sexo\.exe

Since . is a special character in a regex.
-- codemastr

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Tue Mar 09, 2004 8:51 pm

Thanks, added in CVS :)

Code: Select all

spamfilter {
   regex "^porn! porno! http://.+\/sexo\.exe";
   target private;
   action block;
   reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
};
(note that _ gets translated into a space, so I just use %5F for now, I'll see if I can make __ [double underscore] translate into _ :P)

APCyberax

Filder Mask

Post by APCyberax » Tue May 18, 2004 6:44 am

I've spotted the follow mask sould catch them all.

http://*.*.*.*:*/*.exe

how sure if this would catch to many things but it seems like a sound idea.
what you people think?

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Tue May 18, 2004 1:43 pm

Well that would certainly block sending any URL ending in .exe if not for the fact that that is not correct regex sytnax. It should be:

http://.+\..+\..+\..+:.+/.*\.exe

Post Reply