open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fmapify mydoom

Browse Source
remotes/push_mirror/fmapify
aCaB 15 years ago
parent 0c7ebb92a6
commit d0e17a285a
3 changed files with 40 additions and 32 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      libclamav/scanners.c
  2. 68
      libclamav/special.c
  3. 2
      libclamav/special.h

2
libclamav/scanners.c
Unescape View File

@ -2394,7 +2394,7 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)
case CL_TYPE_BINARY_DATA:
if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_MYDOOMLOG))
ret = cli_check_mydoom_log(desc, ctx);
ret = cli_check_mydoom_log(ctx);
break;
case CL_TYPE_TEXT_ASCII:

68
libclamav/special.c
Unescape View File

@ -45,42 +45,50 @@
#define special_endian_convert_16(v) be16_to_host(v)
#define special_endian_convert_32(v) be32_to_host(v)
int cli_check_mydoom_log(int desc, cli_ctx *ctx)
int cli_check_mydoom_log(cli_ctx *ctx)
{
uint32_t record[8], check;
int i, retval=CL_VIRUS, j;
uint32_t *record, check, key;
fmap_t *map = *ctx->fmap;
unsigned int blocks = map->len / (8*4);
cli_dbgmsg("in cli_check_mydoom_log()\n");
/* Check upto the first five records in the file */
for (j=0 ; j<5 ; j++) {
if (cli_readn(desc, &record, 32) != 32) {
break;
}
if(!j && record[0] == 0xffffffff) /* bb#1241 */
return CL_CLEAN;
/* Decode the key */
record[0] = ~ntohl(record[0]);
cli_dbgmsg("Mydoom: key: %d\n", record[0]);
check = 0;
for (i=1 ; i<8; i++) {
record[i] = ntohl(record[i]) ^ record[0];
check += record[i];
}
cli_dbgmsg("Mydoom: check: %d\n", ~check);
if ((~check) != record[0]) {
if(blocks<2)
return CL_CLEAN;
if(blocks>5)
blocks = 5;
record = fmap_need_off_once(map, 0, 8*4*blocks);
if(!record)
return CL_CLEAN;
while(blocks) { /* This wasn't probably intended but that's what the current code does anyway */
if(record[--blocks] == 0xffffffff)
return CL_CLEAN;
}
}
if (j < 2) {
retval = CL_CLEAN;
} else if (retval==CL_VIRUS) {
*ctx->virname = "Heuristics.Worm.Mydoom.M.log";
}
return retval;
key = ~be32_to_host(record[0]);
check = (be32_to_host(record[1])^key) +
(be32_to_host(record[2])^key) +
(be32_to_host(record[3])^key) +
(be32_to_host(record[4])^key) +
(be32_to_host(record[5])^key) +
(be32_to_host(record[6])^key) +
(be32_to_host(record[7])^key);
if ((~check) != key)
return CL_CLEAN;
key = ~be32_to_host(record[8]);
check = (be32_to_host(record[9])^key) +
(be32_to_host(record[10])^key) +
(be32_to_host(record[11])^key) +
(be32_to_host(record[12])^key) +
(be32_to_host(record[13])^key) +
(be32_to_host(record[14])^key) +
(be32_to_host(record[15])^key);
if ((~check) != key)
return CL_CLEAN;
*ctx->virname = "Heuristics.Worm.Mydoom.M.log";
return CL_VIRUS;
}
static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)

2
libclamav/special.h
Unescape View File

@ -33,7 +33,7 @@ struct swizz_stats {
int entries;
};
int cli_check_mydoom_log(int desc, cli_ctx *ctx);
int cli_check_mydoom_log(cli_ctx *ctx);
int cli_check_jpeg_exploit(int fd, cli_ctx *ctx);
int cli_check_riff_exploit(int fd);
void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob);

Write Preview
Loading…
Cancel
Save