On Wednesday 03 March 2004 21:36, Michael L Torrie wrote: > I have made a rudimentary patch (clean patch) against clamav 0.67 to > mark all zip files containing password-protected (and hence unscannable) > files as a virus type "SuspectEncrypted.Zip." This way I can simply > quarantine all such passworded zip files, along with normal viruses. I > know of no other way for clamav to catch this virus currently. (In fact > it didn't even catch one of them using fingerprinters.)
According to nanog, Bagle uses an uncommon zip format (zip 1, no compression, encryption), which is detectable with this pattern at the beginning of the file: 504b03040a00010000 Unfortunately this might be a bit short for a signature. However, I had a different idea.. current bagle uses a password that is in the range of '10000' - '99999'. a regular zipcrack takes about 0.01s to find the right password here. Given such a weak password, how about we simply try to brute force it and then scan the zip file as usual? 0.01s doesn't sound like much overhead to me. Dirk ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-devel
