Because of my silliness earlier on, I've been scouring the net in hopes I could find something that might help catch the new nasties inside the zip files.
Don't know if this is of any help but here it is anyways.
Regards,
Rick
FYI - this is from the NANOG list. It may help some with creating filters for the bagle beasties.
----- Forwarded message from "Jeffrey I. Schiller" -----
Date: Wed, 3 Mar 2004 16:12:55 -0500 From: "Jeffrey I. Schiller" Subject: Re: dealing with w32/bagle
Turns out that the ZIP file format that all of these beasties are using is a little bit non-standard. Specifically they are all version 1.0 zip archives and the first (and only) component is not compressed.
At MIT we are matching these two strings to recognize the infected ZIP files while letting most (actually I have seen no false positives) if not all "real" ZIP files. We are matching them anywhere within an attachment (well, within the first 16K). However you really only need to see if they are the beginning characters (this is a ZIP file header).
What follows are the base64 encoded strings. I have put an asterisk between the first and second character, so my own filters won't reject this message, do remove that before using...
U*EsDBAoAAAAAA <= Matches unencrypted ZIP file U*EsDBAoAAQAAA <= Matches encrypted version.
-Jeff
----- End forwarded message -----
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
