[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Mydoom

To: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Mydoom
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
Date: Wed, 28 Jan 2004 18:37:42 +1300

madsaxon <madsaxon@direcway.com> to me:

> >That page does not specifically address the "zip attachment" form at
> >all, and to the extent that it does mention .ZIP extensions it (_quite_
> >incorrectly) implies that the virus' executable is simply packaged with
> >such an extension.  In fact, if it sends itself with a .ZIP extension,
> >Mydoom sends itself as a proper zip archive that contains a "stored"
> >(i.e. not compressed) copy of its executable.
> 
> Two of the copies I've gotten have been proper .zip archives (with
> .zip extension) which contained a UPX compressed executable,
> many of whose ASCII strings were further obfuscated with ROT-13.

Dude, read what I said...

   ...if it sends itself with a .ZIP extension...

That is, of the options it has for sending itself, if it chooses the 
the zip archive option...  

Keep up with the program!


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Mydoom
  - From: Nick FitzGerald <nick@virus-l.demon.co.uk>
- RE: [Full-Disclosure] Mydoom
  - From: madsaxon <madsaxon@direcway.com>

Prev by Date: RE: [Full-Disclosure] Microsoft's fix for URL containing username:password@ obfuscation
Next by Date: Re: [Full-Disclosure] From field spoofing and AV responses
Previous by thread: RE: [Full-Disclosure] Mydoom
Next by thread: Re: [Full-Disclosure] Mydoom
Index(es):
- Date
- Thread