git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@728 77e5149b-7576-45b1-b177-96237e5ba77b
Tomasz Kojm authored on 2004/08/06 03:01:20... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Thu Aug 5 19:53:40 CEST 2004 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav: integrate Mydoom.M log detector from Trog (temporary feature) |
|
4 |
+ * libclamav: pe: fix FSG detection (aCaB) |
|
5 |
+ |
|
1 | 6 |
Thu Aug 5 11:41:00 CEST 2004 (tk) |
2 | 7 |
---------------------------------- |
3 | 8 |
* libclamav: pe: pass virtual instead of raw address of entry point to |
... | ... |
@@ -426,7 +426,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c |
426 | 426 |
return CL_EIO; |
427 | 427 |
} |
428 | 428 |
|
429 |
- if(buff[0]=='\x87' || buff [1]=='\x25') { |
|
429 |
+ if(buff[0]=='\x87' && buff [1]=='\x25') { |
|
430 | 430 |
|
431 | 431 |
/* FSG support - thanks to aCaB ! */ |
432 | 432 |
|
... | ... |
@@ -28,6 +28,8 @@ |
28 | 28 |
#include <sys/stat.h> |
29 | 29 |
#include <fcntl.h> |
30 | 30 |
#include <dirent.h> |
31 |
+#include <netinet/in.h> |
|
32 |
+ |
|
31 | 33 |
|
32 | 34 |
#if HAVE_MMAP |
33 | 35 |
#if HAVE_SYS_MMAN_H |
... | ... |
@@ -693,6 +695,43 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const |
693 | 693 |
#endif |
694 | 694 |
} |
695 | 695 |
|
696 |
+static int cli_scan_mydoom_log(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
|
697 |
+{ |
|
698 |
+ int32_t record[8], check; |
|
699 |
+ int i, retval=CL_VIRUS, j; |
|
700 |
+ |
|
701 |
+ cli_dbgmsg("in mydoom_log\n"); |
|
702 |
+ |
|
703 |
+ /* Check upto the first five records in the file */ |
|
704 |
+ for (j=0 ; j<5 ; j++) { |
|
705 |
+ if (cli_readn(desc, &record, 32) != 32) { |
|
706 |
+ break; |
|
707 |
+ } |
|
708 |
+ |
|
709 |
+ /* Decode the key */ |
|
710 |
+ record[0] = ~ntohl(record[0]); |
|
711 |
+ cli_dbgmsg("key: %lu\n", record[0]); |
|
712 |
+ check = 0; |
|
713 |
+ for (i=1 ; i<8; i++) { |
|
714 |
+ record[i] = ntohl(record[i]) ^ record[0]; |
|
715 |
+ check += record[i]; |
|
716 |
+ } |
|
717 |
+ cli_dbgmsg("check: %lu\n", ~check); |
|
718 |
+ if ((~check) != record[0]) { |
|
719 |
+ return CL_CLEAN; |
|
720 |
+ } |
|
721 |
+ } |
|
722 |
+ |
|
723 |
+ if (j < 2) { |
|
724 |
+ retval = CL_CLEAN; |
|
725 |
+ } else if (retval==CL_VIRUS) { |
|
726 |
+ if(virname) |
|
727 |
+ *virname = "Mydoom.M.log"; |
|
728 |
+ } |
|
729 |
+ |
|
730 |
+ return retval; |
|
731 |
+} |
|
732 |
+ |
|
696 | 733 |
static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
697 | 734 |
{ |
698 | 735 |
DIR *dd; |
... | ... |
@@ -1085,6 +1124,7 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const |
1085 | 1085 |
} |
1086 | 1086 |
|
1087 | 1087 |
default: |
1088 |
+ ret = cli_scan_mydoom_log(desc, virname, scanned, root, limits, options, arec, mrec); |
|
1088 | 1089 |
break; |
1089 | 1090 |
} |
1090 | 1091 |
|