even if it was a prefixed size. one 'creative CRACKER or other lame person' would change the virus with a single bit which makes it a bit larger, and all the previous detects are USELESS , eventhough it perhaps has the same sig as before
-- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Nick FitzGerald Verzonden: dinsdag 27 januari 2004 23:09 Aan: [EMAIL PROTECTED] Onderwerp: Re: [Full-Disclosure] Mydoom Vlad Galu <[EMAIL PROTECTED]> wrote: > "Ferris, Robin" <[EMAIL PROTECTED]> writes: > | > |Does any one know what the size of the attachment is when is comes in > |as a zip file? > > It's the <compressed size>/<ratio>. Admit it -- you're just guessing! Mydoom makes its zip form by gluing together a .ZIP header for a single, stored (i.e. not compressed) file, the whole of the virus binary and a suitable one-file .ZIP central directory. As the size of the first and third components depends on the length of the filename, the .ZIP is not of constant size because Mydoom uses different length filenames. And, as I explained earlier, even the size of the .EXE can vary, adding yet another inconstancy to the equation. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-disclosure mailing list [EMAIL PROTECTED] http://lists.elvandar.org/mailman/listinfo/full-disclosure _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
