John Peacock wrote:
There have been a couple of reports of viruses being distributed in RAR files, specifically the Bagle family, which is a problem since Symantec's AV scanner wasn't working properly with RAR files and in fact could actually execute the virus <DOH>.
The RAR file format does contain a known signature:
Magic bytes 0x52 0x61 0x72 0x21 0x1a (Rar!<end-of-file>) at offset 0x00
so it should be trivial to figure out what the Base64 encoding should look like. Then it could be added to a signatures_rar to use with Gavin's exe_filter...
John
clamav handles them. clamav doc says the rar decompressor leaks mem badly, newer version of libclam fixes rar buffer overflow caused by Bagle worm's rar and clamav crashing on some rar nonsense. See README and other docs.
exe_filter is quick, though, so I run it first(doesn't id rar yet though)
-bob
