No subject

Garry Glendown garry at GLENDOWN.DE
Wed Mar 3 19:38:47 GMT 2004

Mike McMullen wrote:
> Could a signature or checksum be calculated that was within a certain error
> bounds that said it was the virus zip?
> I understand that extra random length files could be added to throw off a
> checksum but at some point in the bitstream wouldn't there be a recognizable
> pattern?

Apart from the unencrypted part (which, as I understand, consists only
of the filename, length, and checksum) I don't think there are any ways
to identify a virus - after all, if you could it would defeat the reason
(or quality) of an encryption. Of those listed above, the checksum will
most likely be based on the encrypted data, which means it will be
different for every key used. Also, the lenght (if not for this virus)
might be different for every mail if the virus writer should decide to
modify the amount of data written. So, just about anything left is the
filename, which again only depends on the creativity of the programmer ...

The only other possibility would be to find the password in the
accompanying message and decrypt the zip using it ... (for encrypted
zips, the scanner could use every string found in the message and try to
decode with it ... that would work for any virus message, as the virus
only makes sense if it is sent together with the password ...)


More information about the MailScanner mailing list