@@ -1,3 +1,8 @@

+Mon May  1 20:30:10 CEST 2006 (tk)

+----------------------------------

+  * libclamav/pe.c: add W32.Polipos.A detection

+		    Thanks to aCaB for virus analysis and detection improvements

+

 Mon May  1 19:54:57 CEST 2006 (tk)

 ----------------------------------

   * freshclam/manager.c: fix possible buffer overflow

@@ -1,5 +1,5 @@

 /*

- *  Copyright (C) 2004 - 2005 Tomasz Kojm <tkojm@clamav.net>

+ *  Copyright (C) 2004 - 2006 Tomasz Kojm <tkojm@clamav.net>

  *

  *  With additions from aCaB <acab@clamav.net>

  *

@@ -61,6 +61,11 @@

 extern short cli_leavetemps_flag;

+struct offset_list {

+    uint32_t offset;

+    struct offset_list *next;

+};

+

 static uint32_t cli_rawaddr(uint32_t rva, struct pe_image_section_hdr *shp, uint16_t nos, unsigned int *err)

 {

 	int i, found = 0;

@@ -74,7 +79,6 @@ static uint32_t cli_rawaddr(uint32_t rva, struct pe_image_section_hdr *shp, uint

     }

     if(!found) {

-	cli_dbgmsg("Can't calculate raw address from RVA 0x%x\n", rva);

 	*err = 1;

 	return 0;

     }

@@ -143,7 +147,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	uint16_t nsections;

 	uint32_t e_lfanew; /* address of new exe header */

 	uint32_t ep; /* entry point (raw) */

-	uint32_t tmp;

+	uint8_t polipos = 0;

 	time_t timestamp;

 	struct pe_image_file_hdr file_hdr;

 	struct pe_image_optional_hdr32 optional_hdr32;

@@ -151,11 +155,13 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	struct pe_image_section_hdr *section_hdr;

 	struct stat sb;

 	char sname[9], buff[4096], *tempfile;

+	unsigned char *ubuff;

+	ssize_t bytes;

 	unsigned int i, found, upx_success = 0, min = 0, max = 0, err, broken = 0;

 	unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0;

 	int (*upxfn)(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL;

 	char *src = NULL, *dest = NULL;

-	int ndesc, ret;

+	int ndesc, ret = CL_CLEAN;

 	size_t fsize;

@@ -536,6 +542,14 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 		max = EC32(section_hdr[i].VirtualAddress) + EC32(section_hdr[i].SizeOfRawData);

 	}

+	if(SCAN_ALGO && !strlen(sname)) {

+	    if(EC32(section_hdr[i].VirtualSize) > 40000 && EC32(section_hdr[i].VirtualSize) < 70000) {

+		if(EC32(section_hdr[i].Characteristics) == 0xe0000060) {

+		    polipos = i;

+		}

+	    }

+	}

+

     }

     if(pe_plus)

@@ -609,6 +623,98 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	}

     }

+    /* W32.Polipos.A */

+   if(polipos && !dll && !pe_plus && nsections > 2 && nsections < 13 && e_lfanew <= 0x800 && (EC16(optional_hdr32.Subsystem) == 2 || EC16(optional_hdr32.Subsystem) == 3) && EC16(file_hdr.Machine) == 0x14c && optional_hdr32.SizeOfStackReserve >= 0x80000) {

+		uint32_t remaining = EC32(section_hdr[0].SizeOfRawData);

+		uint32_t chunk = sizeof(buff);

+		uint32_t val, shift, raddr, curroff, total = 0;

+		const char *jpt;

+		struct offset_list *offlist = NULL, *offnode;

+

+

+	cli_dbgmsg("Detected W32.Polipos.A characteristics\n");

+

+	if(remaining < chunk)

+	    chunk = remaining;

+

+	lseek(desc, EC32(section_hdr[0].PointerToRawData), SEEK_SET);

+	while((bytes = cli_readn(desc, buff, chunk)) > 0) {

+	    shift = 0;

+	    while(bytes - 5 > shift) {

+		jpt = buff + shift;

+		if(*jpt!='\xe9' && *jpt!='\xe8') {

+		    shift++;

+		    continue;

+		}

+		val = cli_readint32(jpt + 1);

+		val += 5 + EC32(section_hdr[0].VirtualAddress) + total + shift;

+		raddr = cli_rawaddr(val, section_hdr, nsections, &err);

+

+		if(!err && (raddr >= EC32(section_hdr[polipos].PointerToRawData) && raddr < EC32(section_hdr[polipos].PointerToRawData) + EC32(section_hdr[polipos].SizeOfRawData)) && (!offlist || (raddr != offlist->offset))) {

+		    offnode = (struct offset_list *) cli_malloc(sizeof(struct offset_list));

+		    if(!offnode) {

+			free(section_hdr);

+			while(offlist) {

+			    offnode = offlist;

+			    offlist = offlist->next;

+			    free(offnode);

+			}

+			return CL_EMEM;

+		    }

+		    offnode->offset = raddr;

+		    offnode->next = offlist;

+		    offlist = offnode;

+		}

+

+		shift++;

+	    }

+

+	    if(remaining < chunk) {

+		chunk = remaining;

+	    } else {

+		remaining -= bytes;

+		if(remaining < chunk) {

+		    chunk = remaining;

+		}

+	    }

+

+	    if(!remaining)

+		break;

+

+	    total += bytes;

+	}

+

+	offnode = offlist;

+	while(offnode) {

+	    cli_dbgmsg("Polipos: Checking offset 0x%x (%u)", offnode->offset, offnode->offset);

+	    lseek(desc, offnode->offset, SEEK_SET);

+	    if(cli_readn(desc, buff, 9) == 9) {

+		ubuff = (unsigned char *) buff;

+		if(ubuff[0] == 0x55 && ubuff[1] == 0x8b && ubuff[2] == 0xec &&

+		   ((ubuff[3] == 0x83 && ubuff[4] == 0xec && ubuff[6] == 0x60) ||  ubuff[3] == 0x60 ||

+		     (ubuff[3] == 0x81 && ubuff[4] == 0xec && ubuff[7] == 0x00 && ubuff[8] == 0x00))) {

+		    ret = CL_VIRUS;

+		    *ctx->virname = "W32.Polipos.A";

+		    break;

+		}

+	    }

+

+	    offnode = offnode->next;

+	}

+

+	while(offlist) {

+	    offnode = offlist;

+	    offlist = offlist->next;

+	    free(offnode);

+	}

+

+	if(ret == CL_VIRUS) {

+	    free(section_hdr);

+	    return CL_VIRUS;

+	}

+    }

+

+

     if(broken) {

 	free(section_hdr);

 	return CL_CLEAN;