On Tue, 09 Dec 2003 13:03:10 +0100 Thomas Lamy <[EMAIL PROTECTED]> wrote:
> Decoding the VBA stream is a first step (perhaps we can build
> signatures for the PCode stream and issue at least a warning if
> malicious operations are detected).
> But the better solution is:
>
> - VBA Engine
> After we can extract the VBA stuff from the OLE2 container, we need a
> VBA emulator which evaluates the various code paths normally executed
> when a document is opened.
It will be very hard to distinguish between clean and destructive
macros. It will be much better to use standard signatures. Of course the
biggest problem is to decode the VBA stream (and there are three methods
of VBA compression in OLE2 files), unfortunately I still have no answer
from the OO developers responsible for msvbasic.cxx.
Best regards,
Tomasz Kojm
--
oo ..... [EMAIL PROTECTED] www.ClamAV.net
(\/)\......... http://www.clamav.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Tue Dec 9 13:11:00 CET 2003
pgp00000.pgp
Description: PGP signature
