[Esd-l] Re: Sanitizer and zip virus
Agostini yves
agostini at univ-metz.fr
Wed Jan 28 09:00:28 PST 2004
Le mer 28/01/2004 à 14:52, John D. Hardin a écrit :
> On 28 Jan 2004, Agostini yves wrote:
>
> > I had a small idea : use strings and make grep on PK$ to find
> > names of files in the zip
>
> I played with some handy .ZIP files and learned two things:
>
> 1) filenames can also end in "UT".
well :
----------------------------
#!/usr/bin/bash
for i in `locate .zip`
do
echo $i
TYPE=`cat "$i" | strings | head -n1 | sed 's/\(.*\)\(..\)./\2/' | egrep
"UT|PK"`
if [ "$TYPE" = "" ] ; then
TYPE=`cat $i | strings | tail -n1 | sed 's/\(.*\)\(..\)/\2/'`
fi
echo "$TYPE"
cat $i | strings | grep $TYPE$
echo "-"
done
-----------------------------
... and don't work for some large zip -> it's a stupid idea
then
--------------------------
#!/usr/bin/bash
for i in `locate .zip`
do
echo $i
unzip -l $i | awk '{print $4$5$6}' | sed 's/\(.*\)\/\(.*\)$/\2/'
done
--------------------------
could be better if there is the same unzip on other OS
$4$5$6 catch files like data.doc .exe
^^^^^
maybe zip with files in poisoned-files could be rejected
and zip with other executable files could be renamed in
"TAKE-CARE-WITH-EXE-name.zip"
> 2) encrypted ZIPs don't encrypt the list of files in the ZIP.
--
-----------------------------------------------------------------
AGOSTINI Yves CRIUM - Université de Metz
agostini at univ-metz.fr http://www.crium.univ-metz.fr
tel: 03 87 31 52 63 fax: 03 87 31 53 33
More information about the esd-l
mailing list