Vulnerability Development mailing list archives

Re: Another new worm??? (technical)

From: pierre () DATARESCUE COM (Pierre Vandevenne)
Date: Tue, 27 Jun 2000 15:38:22 +0200


On Mon, 26 Jun 2000 10:31:05 -0300, sigipp () WELLA COM BR wrote:

Hi,

"Love Letter", "Lover  Letter", "Love _ Letter", "Re:Love Letter",
"FWD: Love _Letter"


I remember once an article in the (german) c´t about fault-tolerant string
matching using triplets (groups of three characters) and groups of five
characters, resulting in a percentage of similarness. It worked really great and
might be an algoritm to catch these too.


Sure - it is quite possible, by many methods, but as soon as you choose
one in an open source package worm writers will work around it. That is
what happened in the past, eventhough the program were closed source
and the databases (mildly) encrypted.

BTW, when looking for information about viruses and worms, it often
pays to look further than the virus encyclopedias - there are many
interesting papers floating on the net.
Here for example.
http://www.av.ibm.com/InsideTheLab/Bookshelf/ScientificPapers/
http://www.ifip.tu-graz.ac.at/TC11/SEC94/bonchev.html

Pierre


---
http://www.datarescue.com/idabase/ida.htm
IDA Pro 4.1 - Yes, we have done it again !

Current thread:

Re: Another new worm??? (technical) sigipp () WELLA COM BR (Jun 26)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 27)
- Virus Scan Notices in eMail Brian Kifiak (Jun 27)
  - Re: Virus Scan Notices in eMail Bluefish (Jun 28)
  - Re: Virus Scan Notices in eMail Colleen Tibbs (Jun 28)
    - Re: Virus Scan Notices in eMail Brian Kifiak (Jun 28)
    - Re: Virus Scan Notices in eMail Bluefish (Jun 29)