Menu
▾
▴
Re: [Wvware-devel] Extracting macros for OpenAntivirus
|
From: Kurt H. <ku...@ik...> - 2001-09-11 20:26:44
|
shaheed wrote: > This could easily be added to the new filter architecture. In theory, the macros are easy enough to find: if you could send me a Word document with several known macros in it, I will have a hack to make sure it can be supported. I try to get some infected files that can be shared. I had a look at some of them with LAOLA and they look alike: 0: 1 'Root Entry' (pps 0) ROOT 04.06.2001 07:33:04 1: 1 '1Table' (pps 1) FILE 1585 bytes 2: 2 'Macros' (pps 5) DIR 04.06.2001 07:33:04 3: 1 'VBA' (pps 6) DIR 04.06.2001 07:33:04 4: 1 'dir' (pps 7) FILE 1ec bytes 5: 2 'ThisDocument' (pps 8) FILE cfc bytes 6: 3 '_VBA_PROJECT' (pps 9) FILE b7e bytes 7: 2 'PROJECT' (pps a) FILE 16d bytes 8: 3 'PROJECTwm' (pps b) FILE 29 bytes 9: 3 ' CompObj' (pps c) FILE 6e bytes a: 4 'ObjectPool' (pps d) DIR 04.06.2001 07:33:04 b: 5 'WordDocument' (pps 2) FILE 181e bytes c: 6 ' SummaryInformation' (pps 3) FILE 1000 bytes d: 7 ' DocumentSummaryInformation' (pps 4) FILE 1000 bytes and another file 0: 1 'Root Entry' (pps 0) ROOT 06.09.2001 08:07:02 1: 1 '1Table' (pps 1) FILE 10f5 bytes 2: 2 'Macros' (pps 5) DIR 06.09.2001 08:07:02 3: 1 'VBA' (pps 6) DIR 06.09.2001 08:07:02 4: 1 'dir' (pps 9) FILE 298 bytes 5: 2 'ThisDocument' (pps 7) FILE 2e60 bytes 6: 3 '_VBA_PROJECT' (pps 8) FILE e2a bytes 7: 2 'PROJECT' (pps b) FILE 14a bytes 8: 3 'PROJECTwm' (pps a) FILE 29 bytes 9: 3 ' CompObj' (pps c) FILE 6a bytes a: 4 'WordDocument' (pps 2) FILE 302d bytes b: 5 ' SummaryInformation' (pps 3) FILE 1000 bytes c: 6 ' DocumentSummaryInformation' (pps 4) FILE 1000 bytes Looks like the macros are in a directory named 'Macros' and then 'VBA' Kurt -- Kurt Huwig iKu Netzwerklösungen http://www.iku-netz.de/ Gesellschafter Mainzer Straße 33-35 Telefon 0681/96751-0 ku...@ik... 66111 Saarbrücken Telefax 0681/96751-66 |