TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: APD
date: 2019-06-06 05:46:00
subject: Re: Kaspersky Rescue Disk

"Shadow" wrote:
> On Thu, 6 Jun 2019 01:19:56 +0100, "Apd" wrote:
>>XOR the base64 with 0xEF and you have plain text with a single
>>linefeed terminating each line. It's an XML report. Here's a line from
>>your second example, krdeicar.txt (wrapped for ease of reading):
>>
>>>
Object="@Filesystem[65ba0377-31a7-52e4-8e5b-5415b3a73f12]/Downloads/EICARAntiVi
rusTestFile.com"
>> Info="EICAR-Test-File" />
>
> Thanks for that. You must dream in hex, as I did 2 decades
> ago. Alas, all I dream about now is staying alive.

I know what you mean.

> Simple XORing. Who would have guessed?

A few years of malware analysis (and hex dreaming!) has got me used to
seeing those kind of patterns.

> Too hard for me to figure out without your help. I will now
> write a little program in free Pascal or maybe 16 bit assembler to
> automate the process, unless you can recommend freeware (no online
> datamining stuff) that does it automatically ?

McAfee made a Windows GUI tool called FileInsight which could do
base64 and XOR decode among other things but I can't find it on their
website now. I see Paul has posted some C code which does the job and
is similar to one of the several utilities I wrote myself for such
things.


--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.