Focus on Virus
Re: blocking BHX files with MIME May 17 2006 06:17PM
lsi (stuart cyberdelix net)

Good call. A quick search suggests that BinHex is a form of
UUencoding, ie. uuencode for Mac... so I agree the sig might miss
some attachments.

I don't have any other samples, tho, and since my policy is to only
filter on strings in use by malware, not the full set of theoretical
strings malware might use, I don't think I'll change the sig just

I don't filter on the full set because if the string is not in use,
there's no need to slow my filter down looking for something that's
not there.

You're right though, if some virus starts using 'begin 4', I will
need to remove a few characters from the end of the string.


On 17 May 2006 at 3:33, Peter Kosinar wrote:

> > YmVnaW4gNj
> Is it really the BHX (=BinHex) file format? Decoding the MIME sequence
> yields "begin 6" (+one incomplete character), which looks very similar to
> the UUE format. If it is actually UUE, the signature might be a bit too
> weak because a perfectly valid UUEncoded file could start with "begin 4"
> or "begin 7" or any other octal digit, as the three octal digits following
> "begin" specify the permissions of the encoded file.

Stuart Udall
stuart at (at) cyberdelix (dot) dot [email concealed] net -

* Origin: lsi: revolution through evolution (192:168/0.2)

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus