The .htm is not infected per se. It contains javascript
which references the infecting .eml.
Your regexp is bogus though.
You should use
\.eml$
instead.
Notice that the infecting eml files might have different names, not
only readme.eml.
> -----Original Message-----
> From: john@hytronix.com [mailto:john@hytronix.com]
> Sent: Friday, September 28, 2001 3:13 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Nimda and url_regex - Doesn't Work?
>
>
> Hi All,
>
> I have the following in my squid.conf:
>
> acl worms url_regex "/usr/local/squid/etc/worm-regex"
>
> http_access deny worms
>
> ...and in /usr/local/squid/etc/worm-regex:
>
> .*readme.eml*
>
> If I try to access a "dummy" readme.eml file I placed in my
> own web server,
> I get the "denied" page from squid as expected.
>
> If I access an infected website, the virus is able to drop an
> infected .htm
> file into my web cache.
>
> Squid's log shows only a TCP_DENIED entry, never a success.
>
> Any Ideas?
>
> -John
> john@hytronix.com
>
>
Received on Fri Sep 28 2001 - 07:20:51 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:31 MST