[Esd-l] Extensions with Trailer

John D. Hardin jhardin at impsec.org
Tue May 27 19:07:43 PDT 2003

On Tue, 27 May 2003, Robert Wagner wrote:

> We have been seeing this more often.
> Virus:   WORM_PALYH.A
> \Virus\Sample3ec8529a1.pif_
> It appears that they system can capture anything with the pif
> extension, but not pif_

Sigh. It's probably yet another thing Microsoft does to make stupidity
painless and their systems nondeterministic.

Can anyone confirm this? (the filenames, not my opinion of MS... :)

It'll be relatively easy to add to the sanitizer.

Call for vote: should there be an option to sanitize the filename by
deleting trailing underscores?

> Is there a simple way to fix this?  

Well, you could add _* to the end of all your regexes in the mangle
list, but I'd have to think about the poisoned filename list for a bit
- the * has been recast from RE syntax to fileglob syntax.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.
                                            -- James Madison, 1799
   525 days until the Presidential Election

More information about the esd-l mailing list