[Esd-l] Extensions with Trailer

John D. Hardin jhardin at impsec.org
Tue May 27 19:07:43 PDT 2003


On Tue, 27 May 2003, Robert Wagner wrote:

> We have been seeing this more often.
> 
> Virus:   WORM_PALYH.A
> \Virus\Sample3ec8529a1.pif_
> 
> It appears that they system can capture anything with the pif
> extension, but not pif_

Sigh. It's probably yet another thing Microsoft does to make stupidity
painless and their systems nondeterministic.

Can anyone confirm this? (the filenames, not my opinion of MS... :)

It'll be relatively easy to add to the sanitizer.

Call for vote: should there be an option to sanitize the filename by
deleting trailing underscores?

> Is there a simple way to fix this?  

Well, you could add _* to the end of all your regexes in the mangle
list, but I'd have to think about the poisoned filename list for a bit
- the * has been recast from RE syntax to fileglob syntax.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.
                                            -- James Madison, 1799
-----------------------------------------------------------------------
   525 days until the Presidential Election



More information about the esd-l mailing list