Re: [Clamav-users] password-protected Worm.Bagle.H

Wed, 10 Mar 2004 06:59:08 -0800 

On Tue, 2 Mar 2004 04:14:52 -0800 (PST) [EMAIL PROTECTED] exclaimed:

> 
> > Worm.Bagle.H found in unzipped file. It\'s impossible
> > to create signature of encrypted zip file.
> 
> This new infection method is likely to drive us nuts.  This is the
> password-less workaround I've come up with and your input is appreciated.
>  
> The unix unzip output looks like so:
> 
>    $ uvscan -lv virus.zip  
>    Archive:  TextDocument.zip
>     Length   Method    Size  Ratio   Date   Time   CRC-32    Name
>    --------  ------  ------- -----   ----   ----   ------    ----
>       21150  Stored    21150   0%  03-01-04 19:33  7ac0095f  hifrm.scr
>    --------          -------  ---                            -------
>       21150            21150   0%                            1 file
> 
> Fortunately we can get the file crc w/o actually extracting the file.  
> Can zip file crc's count as sigs?  A quick/crude perl hack to test for
> this at the MTA seems to work pretty well:
> 
>       if (!open(UNZIP, "-|"))
>       {
>         exec("/usr/bin/unzip", '-lv', $file);
>       }
>       while (<UNZIP>)
>       {
>         if (/7ac0095f/)
>         {
>           close(UNZIP);
>           print "Found the w32nsc/Bagle.H-zip virus !!!\n";
>           found_virus();
>         }
>       }
>       close(UNZIP);
> 
> 
> Suggestions?  There are really easy ways for the virus writer to 
> circumvent this type of check but until they start utilizing such 
> strategies, is it possible to include the zip's crc into ClamAV's sigs?
> 
>


Except that I have 3 files, all ID'd the same when unzipped.  But they have
different CRC's.  They all show as stored though....


Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
   21816  Stored    21816   0%  03-03-04 18:03  b036a836  xooas.exe
--------          -------  ---                            -------
   21816            21816   0%                            1 file

~/virus/encrypted$ clamscan xooas.exe
xooas.exe: Worm.Bagle.Gen-2 FOUND

 Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
   21512  Stored    21512   0%  03-02-04 15:40  5399d9c7  ruqxq.scr
--------          -------  ---                            -------
   21512            21512   0%                            1 file

~/virus/encrypted$ clamscan ruqxq.scr
ruqxq.scr: Worm.Bagle.Gen-2 FOUND

 Length   Method    Size  Ratio   Date   Time   CRC-32    Name
--------  ------  ------- -----   ----   ----   ------    ----
   21378  Stored    21378   0%  03-03-04 16:31  331840c6  ludkesb.exe
--------          -------  ---                            -------
   21378            21378   0%                            1 file


~/virus/encrypted$ clamscan ludkesb.exe
ludkesb.exe: Worm.Bagle.Gen-2 FOUND


Shawn


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to