TRJ/SOEX.A

These are old archives. They are kept for historic purposes only.
Post Reply
Jay
Posts: 11
Joined: Sat Mar 06, 2004 2:10 am

TRJ/SOEX.A

Post by Jay »

Code: Select all

spamfilter { 
   regex "^porn! porno! http://.+\/sexo.exe"; 
   target { private; }; 
   action gline; 
   reason "TRJ/SOEX.A Trojan Detected, http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SOEX.A"; 
   ban-time 1d; 
};
I got these spammers on my network, it's not really a harmfull bot, cause the .exe file mostly can't execute (bad programming)
Hope the regex is acceptable.
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr »

Looks good except,

sexo.exe";

That should probably be sexo\.exe

Since . is a special character in a regex.
-- codemastr
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Thanks, added in CVS :)

Code: Select all

spamfilter {
   regex "^porn! porno! http://.+\/sexo\.exe";
   target private;
   action block;
   reason "Infected by soex trojan: see http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSOEX.A";
};
(note that _ gets translated into a space, so I just use %5F for now, I'll see if I can make __ [double underscore] translate into _ :P)
APCyberax

Filder Mask

Post by APCyberax »

I've spotted the follow mask sould catch them all.

http://*.*.*.*:*/*.exe

how sure if this would catch to many things but it seems like a sound idea.
what you people think?
aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight »

Well that would certainly block sending any URL ending in .exe if not for the fact that that is not correct regex sytnax. It should be:

http://.+\..+\..+\..+:.+/.*\.exe
Post Reply