Fetishes

Matt Kettler mkettler at EVI-INC.COM
Tue Aug 3 16:15:31 IST 2004


<x-flowed>
At 08:09 AM 8/3/2004, Mariano Absatz wrote:
>Probably it's a badly programmed virus that isn't able to propagate :-)

That is likely correct. I did get a complete copy of the zipfile and looked
at it in a hex editor. It should be harmless unless it's malformed nature
causes some decompressor to crash.

It starts off with what looks like a pkzip header, but then after the first
26 bytes it shifts to being nothing but 0x20 (ASCII space). The spaces go
on for the rest of the file (866 bytes of spaces).

The zip header looks to be more-or-less of the correct format, and 26 bytes
is the correct length for the header, but several fields are mangled,
containing 0's when that's clearly not valid (ie: the CRC32 field).

An interpretation of the header:
         File signature: 0x04034b50  (correct signature for the zip format)
         Minimum version to extract: 0
         flags: 0
         Compression method: 0, stored (no compression)
         Modified date/time: 0x0000/0x0000  = midnight, January 1, 1980.
         CRC32: 0x00000000  (odd)
         Compressed size: 0    (odd)
         uncompressed size: 886 (matches the "data" length)
         filename length: 0  (odd, but consistent with where the data starts)

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
</x-flowed>



More information about the MailScanner mailing list