Well,
According to Trend Micro Tech details
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A&VSect=T
(not very detailed if you ask me)
The size of the virus is 137,216 bytes
So, if we strip those bytes off the front of the file, presumably we would have
an uninfected file, right?
On Sun, Aug 19, 2001 at 09:43:40PM -0700, Neil Parker wrote:
> On Sun, 19 Aug 2001, Greg wrote:
> > How do you figure out how many bytes of an RPM is header?
>
> Slackware comes with a little program called "rpmoffset" that searches
> an RPM for the beginning of the gzip data, and prints the necessary
> offset.
>
> If you don't have rpmoffset, then you can make due with od:
>
> od -c filename.rpm | less
>
> This prints an ASCII-and-octal dump of the RPM file, which you can search
> for the gzip signature with less's search command:
>
> /037 213
>
> As long as the gzip signature doesn't straddle a line break (most of the
> time it won't), this should position the beginning of the gzip data at the
> top of the screen. Take the number in the left-hand column, and add the
> number of extra bytes between the left hand column and the "037" byte.
> This gives you the file offset in octal.
>
> Perl can easily convert the number to decimal:
>
> perl -e 'print 0(number), "\n"'
>
> where "(number)" is the number you got from od. The leading 0 in the
> print command is to make sure Perl knows you're giving it an octal number.
>
> - Neil Parker, [EMAIL PROTECTED]
>
> P.S. The byte immediately following the "037 213" in od's output is
> almost always "\b". If your first search turns up something different
> after the "037 213", then you probably haven't found the true start of the
> gzip data. Repeat the search by pressing "n".
--
Christopher Maujean
IT Director
Premierelink Communications
www.premierelink.com
[EMAIL PROTECTED]
PLEASE encrypt all sensitive information using the following:
GnuPG: 0x5DE74D38
Fingerprint: 91D4 09FE 18D0 27C1 A857 0E45 F8A4 7858 5DE7 4D38
http://blackhole.pca.dfn.de:11371/pks/lookup?op=get&search=0x5DE74D38
