I wrote this and posted it to an ISP internal newsgroup, but
I think there is a wider interest in it.
Using a signature for the virus ("^(_at_)^Y^@^(_at_)^@^A| SCam32^(_at_)^P~CMI")
and different base64 offsets, I have this RE to catch it:
# This tries to match a binary string from the SirCam virus
# in the base64 encoded MIME attachment.
# B: search body, D case sensitive
:0BD:
* AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
sircamvirus.box
I started with 'strings' found something not likely to be in other
binary attachments, base64 encoded it, then fiddled for possible
offset differences. All three of these are base64 fragments that
can be decoded to see the source text they match against:
AAAAGgU0NhbTMyABCDTUlN
AAAAAaBTQ2FtMzIAEINNSU1F
ABkAAAABoFNDYW0zMgAQg01J
(One has to be careful selecting start and stop bytes for the
decoding to work as well as the matching.)
I don't have a large enough sample of wild SirCams to test to
see if this works reliably: it could be line breaks will get
in the way. That would make the RE more complicated, but still
doable.
The 'SCam32' signature is very nearly at the end of the virus:
136416 bytes into the 137216 byte sample I first looked at.
This is reling on a VULN-DEV list post I saw which claimed that
the attachment could be disinfected with this command:
dd if=infected-file.doc.pif bs=512 skip=268 of=original.doc
Working backwards, the virus can be extracted with this command:
dd if=infected-file.doc.pif bs=512 count=268 of=sircam.vir
Source:
Message-ID: <3B5F0042(_dot_)EDA3430(_at_)7thzone(_dot_)com>
From: Nicolas Gregoire <nicolas(_dot_)gregoire(_at_)7thzone(_dot_)com>
To: "Eric D. Williams" <eric(_at_)infobro(_dot_)com>,
vuln-dev(_at_)securityfocus(_dot_)com
Subject: Re: Win32.Sircam.Worm Alert.....
Securityfocus has a web archive of VULN-DEV, browse their site for it.
Benjamin
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail