[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6.0.1.1.2.20040104215039.01b4a4c0@mail.btinternet.com>
From: r_i_c_h_lists at btopenworld.com (Richard Maudsley)
Subject: Show me the Virrii!
Hi,
There are not really any virus standards. The only heuristic pattern I have
at present is for detecting mIRC worms, scanning for the ASCII string
"mirc.ini" and "Microsoft\Windows\CurrentVersion\Run" - but I am sure there
are many legit programs out there containing both strings. I'm not really
sure what to look for in virus's, what do packed Trojans have in common?
More research I guess.
-Richard Maudsley
Research funnies: The presence of "NetBus" string in all versions of the
Trojan, including packed files -easy heuristics ;)
At 21:28 04/01/2004, you wrote:
>Hello,
>
> I believe you could use the following method, it is used by some mail
>servers to block attachments by file type. It is not sure way, but could
>provide a option like "Possible virus".
>
>Here is an example ... take a windows exe file. Better yet take 15
>windows exe files. You will notice that the first part of each file is
>the same. I can not remember how many bits :(
>
>Now some mail servers will scan attachments and if some one renames a
>exe to .zip jpeg or something the system will still know it is a exe
>because of the first X number of bits of the file.
>
>I believe that most viruses work the same way, so a lot of the heuristic
>engines work the same way.
>
>Many "new" viruses work very simular to the way old ones do. So if you
>can get the pattern of lets say 20 viruses (which you have) you should
>be able to detect other viruses or files that may contain a virus based
>on the pattern of the file and how well it relates to a know virus
>pattern.
>
>Michael.
>
>
>
>
>On Sun, 04 Jan 2004 17:01:33 +0000
>Richard Maudsley <r_i_c_h@...penworld.com> wrote:
>
> > Hi list,
> >
> > I recently finished a stable version of my little Virus-Scanner, LMS (
> >
> > http://www.mindblock.org/lms ).
> > It currently detects 19 viruses. I need it to detect hundreds.
> >
> > How do big Anti-Virus companies get their hands on new viruses, and
> > how can I?
> >
> > Thanks,
> > Richard Maudsley
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>--
>Hand over the Slackware CD's and back AWAY from the computer, your geek
>rights have been revoked !!!
>
>Michael Gale
>Slackware user :)
>Bluesuperman.com
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists