Re: softlabs

Toen ik Ruud H.G. van Tol kietelde, kwam er dit uit:

if you open the zip-file in an editor, you will find
two equal occurences of "randomtext.exe" in there (the toc).
The pattern of the base64-encoding of those filenames is deductable,
so a procmail-recipe can catch them.


Or use sed:

ZIPSTR = `sed \
-e :a \
-e "s/[^a-zA-Z0-9. ]\{1,\}/ /g" \
-e "s/ \{1,\}\[^ ]\{0,4\} \{1,\}/ /g" \
-e '$\!N; s/\n/ /; ta' \
bagle.zip`

(might need changing or unsetting of SHELLMETAS)


A sample bagle.zip is transformed to:
PK hdquqv.exe SPWNs GoRyq ZoC6jh fy4cW 15oYg 246WA 7Km1U VR0bt W5HJT
MO84d eX70r eJfzb hdquqv.exePK
(all on 1 line)

I chose to eliminate all strings shorter than 4 because "a.exe" 
has length 5.

-- 
Affijn, Ruud

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread]	Current Thread	[Next in Thread>
virus classification: W32/Bagle, Ruud H.G. van Tol Re: virus classification: W32/Bagle, Ruud H.G. van Tol Re: virus classification: W32/Bagle, Robert Allerstorfer Re: softlabs, Ruud H.G. van Tol Re: softlabs, Robert Allerstorfer Re: softlabs, LuKreme Re: softlabs, Ruud H.G. van Tol Re: softlabs, Ruud H.G. van Tol <= Re: softlabs, Ruud H.G. van Tol Re: softlabs, Robert Allerstorfer Re: softlabs, Professional Software Engineering Re: softlabs, Robert Allerstorfer Re: softlabs, Professional Software Engineering Re: softlabs, Robert Allerstorfer Re: softlabs, Bob George Re: softlabs, Robert Allerstorfer Re: softlabs, Ruud H.G. van Tol Re: softlabs, Professional Software Engineering

Previous by Date:	Re: chomp command, Christopher Benson
Next by Date:	Re: softlabs, Ruud H.G. van Tol
Previous by Thread:	Re: softlabs, Ruud H.G. van Tol
Next by Thread:	Re: softlabs, Ruud H.G. van Tol
Indexes:	[Date] [Thread] [Top] [All Lists]