Re: dealing with w32/bagle

[Chris Edwards <chris () eng gla ac uk>]

| What follows are the base64 encoded strings. I have put an asterisk
| between the first and second character, so my own filters won't reject
| this message, do remove that before using...
|
| U*EsDBAoAAAAAA   <= Matches unencrypted ZIP file
| U*EsDBAoAAQAAA   <= Matches encrypted version.

Hi,

That'll get the current bagle strains, but the thing could mutate further,
setting some of the initial zip header fields differently.

As of today we're blocking all possible encrypted zips, not just bagles,
with this reg-exp:

  UEsDB....[Q-Za-fw-z0-9\+/]

checking the start of attachments.  Derivation below for anyone who cares.

Cheers

Chris

---------------------------------------------------------------------


According to the zip spec (http://www.idcnet.us/zip/zip-format.txt)

- The zip header has first four bytes hex = 50 4b 03 04

- The "encrypted" flag is first bit of the 7th byte

Doing the maths:

Hex     50       4b       03       04       X        X        bit0set  X

Binary  01010000 01001011 00000011 00000100 xxxxxxxx xxxxxxxx xxxxxxx1 xxxxxxxx

6bits:  010100 000100 101100 000011 000001 00xxxx xxxxxx xxxxxx xxxxxx x1xxxx

Dec:    20     4      44     3      1      0-15   .      .      .      16-31, 48-63

Base64  U      E      s      D      B      A-P    .      .      .      Q-Za-fw-z0-9+/


Regexp: UEsDB....[Q-Za-fw-z0-9\+/]


--
Chris Edwards, Glasgow University Computing Service