|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Body checks for Bagle virus not working
From: Alex van den Bogaerdt (alex
ergens.op.het.net)
Date: Fri Mar 05 2004 - 05:25:56 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Mar 05, 2004 at 06:01:44AM -0500, WC -Sx- Jones wrote:
> >>>>/^UEsDBAoAAAAAA/ DISCARD VIRUS (w32/bagle)
> >>>>/^UEsDBAoAAQAAA/ DISCARD VIRUS (w32/bagle encrypted)
> >>>
>
>
> This is the check I use which works:
>
> /^UEsDBAoAAQAAA.+/ DISCARD Bagels not wanted here
>
> However, am I to assume that the Zipped form of a Base64 text encoding
> will be the a simple two character difference?
Two?
> AAA Base64 versus
> AAQ encrypted? Zipped? Base64 ?
AAAA normal zip
AQAA encrypted zip
That's just one bit difference.
The ZIP header differs. Of course, the rest of the file also differs.
With UEsDBAoAA[AQ]AAA you should be able to match both.
Warning, there is a chance you also match other kind of zipfiles. Perhaps
using HOLD is better, this gives you a chance to scan for false positives.
HTH
Alex
--
begin sig
http://www.googlism.com/index.htm?ism=alex+van+den+bogaerdt&type=1
This message was produced without any <iframe tags
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]