[Mimedefang] FW : Bagle Zip format (from nanog)
Stephane Lentz
Stephane.Lentz at ansf.alcatel.fr
Wed Mar 3 17:17:55 EST 2004
Might be of interest to all.
It was mentioned in the Mailscanner-ml :
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf
Of Jeffrey I. Schiller
Sent: Wednesday, March 03, 2004 4:13 PM
To: Brian Wilson
Cc: Dan Hollis; 'nanog at merit.edu'
Subject: Re: dealing with w32/bagle
Turns out that the ZIP file format that all of these beasties are
using is a little bit non-standard. Specifically they are all version
1.0 zip archives and the first (and only) component is not
compressed.
At MIT we are matching these two strings to recognize the infected ZIP
files while letting most (actually I have seen no false positives) if
not all "real" ZIP files. We are matching them anywhere within an
attachment (well, within the first 16K). However you really only need
to see if they are the beginning characters (this is a ZIP file
header).
What follows are the base64 encoded strings. I have put an asterisk
between the first and second character, so my own filters won't reject
this message, do remove that before using...
U*EsDBAoAAAAAA <= Matches unencrypted ZIP file
U*EsDBAoAAQAAA <= Matches encrypted version.
-Jeff
----- End forwarded message -----
SL/
---
Stephane Lentz
Alcanet International, Internet Services
More information about the MIMEDefang
mailing list