Klez email filter

[Dave Dribin]

I know the best way to stop Klez is to have people disinfect their computer.  But, if you receive the virus email a lot like I do and want to just filter them out of the way, here is a simple Procmail filtering rule to do so:

# Klez worm procmail filter - courtesy of www.shove-it.com
:0 B
* ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE$
${KLEZ}

Yeah, Procmail is a Unix-only mail filter, but I'm sure someone could adapt it to some Windows variant.  All the filter is doing is seeing if one of the lines in the body matches that long string.  So far it's caught 215 copies of Klez without a single false positive or missed Klez.  Not too shabby.

-Dave

[tom61]

Hmm... interesting. Maybe Saint or PJ could have that run when forwarding emails...

I tried setting up Outlook Express with a message rule to delete messages that have '* ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE' in their body, but it appearently excludes attachments from being considered.

[Dave Dribin]

I tried setting up Outlook Express with a message rule to delete messages that have '* ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE' in their body, but it appearently excludes attachments from being considered.

Sorry, I should have explained the Procmail stuff a little better.  The text you need to match on is "135AA....SPCItE".  The star ("*"), caret ("^"), and dollar sign ("$") are special characters for Procmail and are not actually in the string to be matched.  Maybe that'll help, though I can see Outlook skipping attachments, too.

Aparently this string is in the Base-64 encoded Klez binary and unique to its exe.

-Dave

[tom61]

I didn't include the caret or star when I put it OE, only when I pasted it here.

[Dave Dribin]

I didn't include the caret or star when I put it OE, only when I pasted it here.

Eh, crap.  Oh well.

-Dave