From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <5129cce78925fa024f07ab7ee75d6186@snellwilcox.com>
From: plan9fans@ntlworld.nospam.com
To: 9fans@cse.psu.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: [9fans] MYDoom-F pipeto pattern
Date: Fri, 27 Feb 2004 14:42:28 +0000
Topicbox-Message-UUID: fffada82-eacc-11e9-9e20-41e7f4b1d025

Hi,

I've started to get more viruses:

Here is an replacement for the function in /mail/lib/pipeto.lib
for anyone who has similar problems.

It is tuned for Mydoom-A, Mydoom-F and the Swen.A

fn isvirus {
	virus=no
	if(grep -s '\.(exe|scr|bat|com|cmd)' $D/2/filename >[2]/dev/null){
		if (strings $D/2/body [2]>/dev/null | grep -s 'Try to pull my legs' ) virus=yes
		if (! ~ `{cat $D/2/body | rot13 | grep 'Version\\Explorer'} '' ) virus=yes
		if (! ~ `{cat $D/2/body | rot13 | tcs -f microsoft | grep 'RCPT TO:.*MAIL.*HELO'} '' ) virus=yes
	}

	if (grep -si '\.zip' $D/2/filename >[2]/dev/null)
		if (! ~ `{unzip -sc < $D/2/body | rot13 | grep 'Version\\Explorer'} '' ) virus=yes
		if (! ~ `{unzip -cs < $D/2/body | rot13 | tcs -f microsoft | grep 'RCPT TO:.*MAIL.*HELO'} '' ) virus=yes
	}

	if(~ $virus yes)
		status=''
	if not
		status='not this virus'
}