Browse code
integrate Mydoom.M log detector
git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@728 77e5149b-7576-45b1-b177-96237e5ba77b
Tomasz Kojm authored on 2004/08/06 03:01:20Showing 3 changed files
| ... | ... |
@@ -1,3 +1,8 @@ |
| 1 |
+Thu Aug 5 19:53:40 CEST 2004 (tk) |
|
| 2 |
+---------------------------------- |
|
| 3 |
+ * libclamav: integrate Mydoom.M log detector from Trog (temporary feature) |
|
| 4 |
+ * libclamav: pe: fix FSG detection (aCaB) |
|
| 5 |
+ |
|
| 1 | 6 |
Thu Aug 5 11:41:00 CEST 2004 (tk) |
| 2 | 7 |
---------------------------------- |
| 3 | 8 |
* libclamav: pe: pass virtual instead of raw address of entry point to |
| ... | ... |
@@ -426,7 +426,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c |
| 426 | 426 |
return CL_EIO; |
| 427 | 427 |
} |
| 428 | 428 |
|
| 429 |
- if(buff[0]=='\x87' || buff [1]=='\x25') {
|
|
| 429 |
+ if(buff[0]=='\x87' && buff [1]=='\x25') {
|
|
| 430 | 430 |
|
| 431 | 431 |
/* FSG support - thanks to aCaB ! */ |
| 432 | 432 |
|
| ... | ... |
@@ -28,6 +28,8 @@ |
| 28 | 28 |
#include <sys/stat.h> |
| 29 | 29 |
#include <fcntl.h> |
| 30 | 30 |
#include <dirent.h> |
| 31 |
+#include <netinet/in.h> |
|
| 32 |
+ |
|
| 31 | 33 |
|
| 32 | 34 |
#if HAVE_MMAP |
| 33 | 35 |
#if HAVE_SYS_MMAN_H |
| ... | ... |
@@ -693,6 +695,43 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const |
| 693 | 693 |
#endif |
| 694 | 694 |
} |
| 695 | 695 |
|
| 696 |
+static int cli_scan_mydoom_log(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
|
| 697 |
+{
|
|
| 698 |
+ int32_t record[8], check; |
|
| 699 |
+ int i, retval=CL_VIRUS, j; |
|
| 700 |
+ |
|
| 701 |
+ cli_dbgmsg("in mydoom_log\n");
|
|
| 702 |
+ |
|
| 703 |
+ /* Check upto the first five records in the file */ |
|
| 704 |
+ for (j=0 ; j<5 ; j++) {
|
|
| 705 |
+ if (cli_readn(desc, &record, 32) != 32) {
|
|
| 706 |
+ break; |
|
| 707 |
+ } |
|
| 708 |
+ |
|
| 709 |
+ /* Decode the key */ |
|
| 710 |
+ record[0] = ~ntohl(record[0]); |
|
| 711 |
+ cli_dbgmsg("key: %lu\n", record[0]);
|
|
| 712 |
+ check = 0; |
|
| 713 |
+ for (i=1 ; i<8; i++) {
|
|
| 714 |
+ record[i] = ntohl(record[i]) ^ record[0]; |
|
| 715 |
+ check += record[i]; |
|
| 716 |
+ } |
|
| 717 |
+ cli_dbgmsg("check: %lu\n", ~check);
|
|
| 718 |
+ if ((~check) != record[0]) {
|
|
| 719 |
+ return CL_CLEAN; |
|
| 720 |
+ } |
|
| 721 |
+ } |
|
| 722 |
+ |
|
| 723 |
+ if (j < 2) {
|
|
| 724 |
+ retval = CL_CLEAN; |
|
| 725 |
+ } else if (retval==CL_VIRUS) {
|
|
| 726 |
+ if(virname) |
|
| 727 |
+ *virname = "Mydoom.M.log"; |
|
| 728 |
+ } |
|
| 729 |
+ |
|
| 730 |
+ return retval; |
|
| 731 |
+} |
|
| 732 |
+ |
|
| 696 | 733 |
static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec) |
| 697 | 734 |
{
|
| 698 | 735 |
DIR *dd; |
| ... | ... |
@@ -1085,6 +1124,7 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const |
| 1085 | 1085 |
} |
| 1086 | 1086 |
|
| 1087 | 1087 |
default: |
| 1088 |
+ ret = cli_scan_mydoom_log(desc, virname, scanned, root, limits, options, arec, mrec); |
|
| 1088 | 1089 |
break; |
| 1089 | 1090 |
} |
| 1090 | 1091 |
|