Bagle Zip format (from nanog)
Rob Charles
rob at thehostmasters.com
Wed Mar 3 21:50:48 GMT 2004
So can someone help me out and show me how I would create this filter as to
catch a password encrypted zip file and not a regular zip file...
I am not to keen on filters...
thanks....
Rob Charles
TheHostMasters
Montreal, Canada
514-846-0006
Rob at TheHostMasters.com
http://www.TheHostMasters.com
----- Original Message -----
From: "Darrell" <dz at SIAMESERESCUE.ORG>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Wednesday, March 03, 2004 4:27 PM
Subject: Bagle Zip format (from nanog)
> Just in case this isn't common knowledge already.
>
> Z
>
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf
> Of Jeffrey I. Schiller
> Sent: Wednesday, March 03, 2004 4:13 PM
> To: Brian Wilson
> Cc: Dan Hollis; 'nanog at merit.edu'
> Subject: Re: dealing with w32/bagle
>
> Turns out that the ZIP file format that all of these beasties are
> using is a little bit non-standard. Specifically they are all version
> 1.0 zip archives and the first (and only) component is not
> compressed.
>
> At MIT we are matching these two strings to recognize the infected ZIP
> files while letting most (actually I have seen no false positives) if
> not all "real" ZIP files. We are matching them anywhere within an
> attachment (well, within the first 16K). However you really only need
> to see if they are the beginning characters (this is a ZIP file
> header).
>
> What follows are the base64 encoded strings. I have put an asterisk
> between the first and second character, so my own filters won't reject
> this message, do remove that before using...
>
> U*EsDBAoAAAAAA <= Matches unencrypted ZIP file
> U*EsDBAoAAQAAA <= Matches encrypted version.
>
> -Jeff
>
More information about the MailScanner
mailing list