Re: Show me the Virrii!

[Michael Gale <michael () bluesuperman com>]

Hello,

        I believe you could use the following method, it is used by some mail
servers to block attachments by file type. It is not sure way, but could
provide a option like "Possible virus".

Here is an example ... take a windows exe file. Better yet take 15
windows exe files. You will notice that the first part of each file is
the same. I can not remember how many bits :(

Now some mail servers will scan attachments and if some one renames a
exe to .zip jpeg or something the system will still know it is a exe
because of the first X number of bits of the file.

I believe that most viruses work the same way, so a lot of the heuristic
engines work the same way.

Many "new" viruses work very simular to the way old ones do. So if you
can get the pattern of lets say 20 viruses (which you have) you should
be able to detect other viruses or files that may contain a virus based
on the pattern of the file and how well it relates to a know virus
pattern.

Michael.




On Sun, 04 Jan 2004 17:01:33 +0000
Richard Maudsley <r_i_c_h () btopenworld com> wrote:

> Hi list,
>
> I recently finished a stable version of my little Virus-Scanner, LMS (
>
> http://www.mindblock.org/lms ).
> It currently detects 19 viruses. I need it to detect hundreds.
>
> How do big Anti-Virus companies get their hands on new viruses, and
> how can I?
>
> Thanks,
>       Richard Maudsley
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
Hand over the Slackware CD's and back AWAY from the computer, your geek
rights have been revoked !!!

Michael Gale
Slackware user :)
Bluesuperman.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html