[Esd-l] Anyone have an invariant signature for Goker?
Murray Crane
mcrane at longbridge.com
Mon Dec 17 05:14:00 PST 2001
On Fri, 14 Dec 2001 12:48:10 -0700, Brett Glass wrote:
>This worm uses variable subjects and attachment names, as well as some
>extensions (such as .exe) that may not be practical to block. Anyone have
>a signature?
Brett,
Well, running a 'diff' against the two copies of this that we have quarantined so far I would suggest that the base64 encoded attachments are identical, certainly for the two
examples I have gotten. It may be possible to fashion a local rule based on that base64 encoding, which I have seen done for another virus (hybris).
A thought, surely. I'd be happy to pool quarantined examples to help move this along.
Murray Crane
Network Systems Administrator
Longbridge International Plc
More information about the esd-l
mailing list