[Esd-l] Anyone have an invariant signature for Goker?

Murray Crane mcrane at longbridge.com
Mon Dec 17 05:14:00 PST 2001


On Fri, 14 Dec 2001 12:48:10 -0700, Brett Glass wrote:

>This worm uses variable subjects and attachment names, as well as some 
>extensions (such as .exe) that may not be practical to block. Anyone have 
>a signature?

Brett,

Well, running a 'diff' against the two copies of this that we have quarantined so far I would suggest that the base64 encoded attachments are identical, certainly for the two 
examples I have gotten. It may be possible to fashion a local rule based on that base64 encoding, which I have seen done for another virus (hybris).

A thought, surely.  I'd be happy to pool quarantined examples to help move this along.

Murray Crane
Network Systems Administrator
Longbridge International Plc



More information about the esd-l mailing list