Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: dealing with w32/bagle

  • From: Chris Edwards
  • Date: Wed Mar 03 19:21:48 2004

| What follows are the base64 encoded strings. I have put an asterisk
| between the first and second character, so my own filters won't reject
| this message, do remove that before using...
|
| U*EsDBAoAAAAAA   <= Matches unencrypted ZIP file
| U*EsDBAoAAQAAA   <= Matches encrypted version.

Hi,

That'll get the current bagle strains, but the thing could mutate further,
setting some of the initial zip header fields differently.

As of today we're blocking all possible encrypted zips, not just bagles,
with this reg-exp:

  UEsDB....[Q-Za-fw-z0-9\+/]

checking the start of attachments.  Derivation below for anyone who cares.

Cheers

Chris

---------------------------------------------------------------------


According to the zip spec (http://www.idcnet.us/zip/zip-format.txt)

- The zip header has first four bytes hex = 50 4b 03 04

- The "encrypted" flag is first bit of the 7th byte

Doing the maths:

Hex     50       4b       03       04       X        X        bit0set  X

Binary  01010000 01001011 00000011 00000100 xxxxxxxx xxxxxxxx xxxxxxx1 xxxxxxxx

6bits:  010100 000100 101100 000011 000001 00xxxx xxxxxx xxxxxx xxxxxx x1xxxx

Dec:    20     4      44     3      1      0-15   .      .      .      16-31, 48-63

Base64  U      E      s      D      B      A-P    .      .      .      Q-Za-fw-z0-9+/


Regexp: UEsDB....[Q-Za-fw-z0-9\+/]


--
Chris Edwards, Glasgow University Computing Service




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.