On Tuesday 09 March 2004 10:42 am, James Stevens wrote:AFAIK the (first versions of the?) Worm.Bagle.F-zippwd signature matched the raw mail text, but contained additional segments matching parts of the MIME header to prevent false positives.
It may not be the "correct" solution, but could we make a sig based on the body of the e-mail these encrypted viruses come attached to, instead of the virus itself.
I still think a good solution (until the virus writers change their technique) is to attempt decryption of the zip file using each word in the body of the mail as a potential key. It doesn't consume anything like as much in the way of resources as a brute force attack (which I have previously seen proposed), and it means we can examine the raw body of the zip file for positive identification of the contents.
Antony.
This was the trigger for amavisd-new to hand off the _complete_ mail to virus scanners, since the signature does not match only the mail's text portion. Again, the result of having a sig that only matches the virus' text portion would not have been accurate.
Thomas
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-devel
