YAVR

Yet Another antiVirus Recipe


project discontinued
last version: nkvir-rc-2129l-last-version


YAVR is a procmail recipe that helps to filter out a lot of the most common e-mail worms that cause problems to e-mail servers and individual users.

Features:

Warnings you receive:
For some of the above (plain iframe, clsid, xml, macro) e-mail is delivered normally but gets a WARNING in subject plus its old subject ($SUB).
Warnings are:
  • WARNING-XML-CODEBASE-OBJECT-$SUB
  • WARNING-CLSID-EXTENSION-$SUB
  • WARNING-IFRAME-$SUB
  • WARNING-MACRO-$SUB
  • WARNING-NSCAM-SCORE:$NKNGS-$SUB


Download:
current version: nkvir-rc
changelog at: nkvir-changelog
Please after downloading read the included instructions and the license under which this program is distributed!

If you like YAVR you can subscribe for updates and vote for it at Freshmeat.




Features explanation:
:: base64 signatures ::
Most of these worms are MS-Windows executables and arrive at our e-mail encoded through base64 routines. YAVR uses especially selected signatures to locate these attachments. After that it places them in a directory (/virus/) sorted by name.

:: iframe html exploit ::
Through IFrame tag a html encoded e-mail can download and execute a file from a remote http site without informing the user.

:: CLSID hidden extensions exploit ::
Attachments which end with a Class ID (CLSID) file extension do not show the actual file extension saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are actually innocent files, such as JPG or WAV files.

:: xml codebase exploit ::
Usage of some xml objects allow local files to be automatically executed, regardless of the security settings on the target machine.

:: generic executable trap for bat, pif, vbs, vba, scr, lnk, com, exe ::
The rest of MS-executable files that are not caught from base64 signatures end up in a virus-could-be file.

:: generic macro detection for doc,dot,xls,xla files ::
MS-Word and MS-Excel files that contain macro commands are marked with a warning.

:: generic detection for most of nigeria scam e-mails (most of them) ::
Nigeria scam e-mail is not a virus but a big spam problem... There are many good filters that use great algorithms for spam. This is just an add-on.



Links:
procmail: http://www.procmail.org/
procmail mailing list (learn everything here): http://www.rosat.mpe-garching.mpg.de/mailing-lists/procmail/
SecurityFocus mailing list: http://online.securityfocus.com/archive/100
Virus encyclopedia: http://www.viruslist.com/






© Nikos K. Kantarakias