header or body? -----Original Message----- From: Keith Woodworth [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 6:27 PM To: [EMAIL PROTECTED] Subject: [IMGate] Re: dealing with w32/bagle (fwd)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D | What follows are the base64 encoded strings. I have put an asterisk | between the first and second character, so my own filters won't reject | this message, do remove that before using... | | U*EsDBAoAAAAAA <=3D Matches unencrypted ZIP file | U*EsDBAoAAQAAA <=3D Matches encrypted version. Hi, That'll get the current bagle strains, but the thing could mutate = further, setting some of the initial zip header fields differently. As of today we're blocking all possible encrypted zips, not just bagles, with this reg-exp: UEsDB....[Q-Za-fw-z0-9\+/] checking the start of attachments. Derivation below for anyone who = cares. --------------------------------------------------------------------- According to the zip spec (http://www.idcnet.us/zip/zip-format.txt) - The zip header has first four bytes hex =3D 50 4b 03 04 - The "encrypted" flag is first bit of the 7th byte Doing the maths: Hex 50 4b 03 04 X X bit0set X Binary 01010000 01001011 00000011 00000100 xxxxxxxx xxxxxxxx xxxxxxx1 = xxxxxxxx 6bits: 010100 000100 101100 000011 000001 00xxxx xxxxxx xxxxxx xxxxxx = x1xxxx Dec: 20 4 44 3 1 0-15 . . . = 16-31, 48-63 Base64 U E s D B A-P . . . = Q-Za-fw-z0-9+/ Regexp: UEsDB....[Q-Za-fw-z0-9\+/] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Someone posted this on another list about blocking all the ZIP's that = are encrypted and thought some of you might find this useful here.
