[Esd-l] Extensions with Trailer
John D. Hardin
jhardin at impsec.org
Tue May 27 19:07:43 PDT 2003
On Tue, 27 May 2003, Robert Wagner wrote:
> We have been seeing this more often.
>
> Virus: WORM_PALYH.A
> \Virus\Sample3ec8529a1.pif_
>
> It appears that they system can capture anything with the pif
> extension, but not pif_
Sigh. It's probably yet another thing Microsoft does to make stupidity
painless and their systems nondeterministic.
Can anyone confirm this? (the filenames, not my opinion of MS... :)
It'll be relatively easy to add to the sanitizer.
Call for vote: should there be an option to sanitize the filename by
deleting trailing underscores?
> Is there a simple way to fix this?
Well, you could add _* to the end of all your regexes in the mangle
list, but I'd have to think about the poisoned filename list for a bit
- the * has been recast from RE syntax to fileglob syntax.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad.
-- James Madison, 1799
-----------------------------------------------------------------------
525 days until the Presidential Election
More information about the esd-l
mailing list