lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4017984D.20232.90A4F0C1@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Mydoom

Vlad Galu <dudu@...spar.rdsnet.ro> wrote:

> "Ferris, Robin" <R.Ferris@...ier.ac.uk> writes:
> | 
> |Does any one know what the size of the attachment is when is comes in
> |as a zip file?
> 
> 	It's the <compressed size>/<ratio>.

Admit it -- you're just guessing!

Mydoom makes its zip form by gluing together a .ZIP header for a 
single, stored (i.e. not compressed) file, the whole of the virus 
binary and a suitable one-file .ZIP central directory.  As the size of 
the first and third components depends on the length of the filename, 
the .ZIP is not of constant size because Mydoom uses different length 
filenames.

And, as I explained earlier, even the size of the .EXE can vary, adding 
yet another inconstancy to the equation.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists