RE: [Full-Disclosure] Mydoom

["Remko Lodder" <remko@elvandar.org>]

even if it was a prefixed size.
one 'creative CRACKER or other lame person' would change
the virus with a single bit which makes it a bit larger,
and all the previous detects are USELESS , eventhough it
perhaps has the same sig as before

--

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene 

-----Oorspronkelijk bericht-----
Van: full-disclosure-bounces@lists.elvandar.org
[mailto:full-disclosure-bounces@lists.elvandar.org]Namens Nick
FitzGerald
Verzonden: dinsdag 27 januari 2004 23:09
Aan: full-disclosure@lists.netsys.com
Onderwerp: Re: [Full-Disclosure] Mydoom


Vlad Galu <dudu@diaspar.rdsnet.ro> wrote:

> "Ferris, Robin" <R.Ferris@napier.ac.uk> writes:
> | 
> |Does any one know what the size of the attachment is when is comes in
> |as a zip file?
> 
>       It's the <compressed size>/<ratio>.

Admit it -- you're just guessing!

Mydoom makes its zip form by gluing together a .ZIP header for a 
single, stored (i.e. not compressed) file, the whole of the virus 
binary and a suitable one-file .ZIP central directory.  As the size of 
the first and third components depends on the length of the filename, 
the .ZIP is not of constant size because Mydoom uses different length 
filenames.

And, as I explained earlier, even the size of the .EXE can vary, adding 
yet another inconstancy to the equation.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-disclosure mailing list
Full-disclosure@lists.elvandar.org
http://lists.elvandar.org/mailman/listinfo/full-disclosure

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html