[Vol-users] zeusscan2

I'm dealing with what appears to be a new Zeus variant and on a whim I tried to run zeusscan2 under a copy of Volatility 2.0 I still hang onto. Perhaps not surprisingly, it ends unhappily Volatile Systems Volatility Framework 2.0 Traceback (most recent call last): File "vol.py", line 135, in <module> main() File "vol.py", line 126, in main command.execute() File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/commands.py", line 101, in execute func(outfd, data) File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", line 330, in render_text for p, start, url, config_key, creds_key, decoded_config, decoded_magic in data: File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", line 221, in calculate data = malware.get_vad_data(ps_ad, start, end) File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/malware.py", line 856, in get_vad_data return ''.join(pages_one) OverflowError: join() result is too long for a Python string Now I strongly suspect that the new variant is just enough different that it messes with the parsing and results in a runaway, but I just wanted to make sure I'm not leaving something on the table here... Should this work? -=[ Steve ]=-