nanog mailing list archives
Re: dealing with w32/bagle
From: Chris Edwards <chris () eng gla ac uk>
Date: Thu, 4 Mar 2004 00:18:51 +0000 (GMT)
| What follows are the base64 encoded strings. I have put an asterisk | between the first and second character, so my own filters won't reject | this message, do remove that before using... | | U*EsDBAoAAAAAA <= Matches unencrypted ZIP file | U*EsDBAoAAQAAA <= Matches encrypted version. Hi, That'll get the current bagle strains, but the thing could mutate further, setting some of the initial zip header fields differently. As of today we're blocking all possible encrypted zips, not just bagles, with this reg-exp: UEsDB....[Q-Za-fw-z0-9\+/] checking the start of attachments. Derivation below for anyone who cares. Cheers Chris --------------------------------------------------------------------- According to the zip spec (http://www.idcnet.us/zip/zip-format.txt) - The zip header has first four bytes hex = 50 4b 03 04 - The "encrypted" flag is first bit of the 7th byte Doing the maths: Hex 50 4b 03 04 X X bit0set X Binary 01010000 01001011 00000011 00000100 xxxxxxxx xxxxxxxx xxxxxxx1 xxxxxxxx 6bits: 010100 000100 101100 000011 000001 00xxxx xxxxxx xxxxxx xxxxxx x1xxxx Dec: 20 4 44 3 1 0-15 . . . 16-31, 48-63 Base64 U E s D B A-P . . . Q-Za-fw-z0-9+/ Regexp: UEsDB....[Q-Za-fw-z0-9\+/] -- Chris Edwards, Glasgow University Computing Service
Current thread:
- dealing with w32/bagle Dan Hollis (Mar 03)
- Re: dealing with w32/bagle Brian Wilson (Mar 03)
- Re: dealing with w32/bagle Dominic J. Eidson (Mar 03)
- Re: dealing with w32/bagle Jeffrey I. Schiller (Mar 03)
- Re: dealing with w32/bagle Chris Edwards (Mar 03)
- Re: dealing with w32/bagle Curtis Maurand (Mar 03)
- Re: dealing with w32/bagle Laurence F. Sheldon, Jr. (Mar 03)
- Re: dealing with w32/bagle Curtis Maurand (Mar 04)
- Re: dealing with w32/bagle Jeff Shultz (Mar 04)
- Re: dealing with w32/bagle Laurence F. Sheldon, Jr. (Mar 04)
- Re: dealing with w32/bagle Crist Clark (Mar 04)
- Re: dealing with w32/bagle Curtis Maurand (Mar 04)
- Re: dealing with w32/bagle Sam Stickland (Mar 05)
- One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Alexei Roudnev (Mar 05)
- Re: dealing with w32/bagle Valdis . Kletnieks (Mar 05)
- Re: dealing with w32/bagle Brian Wilson (Mar 03)