[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disc]: [Full-Disclosure] mydoom.exe decyphering?

To: Danny <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disc]: [Full-Disclosure] mydoom.exe decyphering?
From: Anders <CNQQTROVMYSY@spammotel.com>
Date: Sat, 31 Jan 2004 16:15:10 +0100

Hi,

> OK, this can readily be deducted somewhat from the mydoom.exe but not
> entirely. Ironically aladdin systems can find itself back in the worm's
> 'strings' output... a part of it is compressed with stuffit.

Are you looking at the files from the URLs posted yesterday? Those
were packed with stuffit before uploaded. The stuffit part is not in
the version that's ITW.

> So: (sync-1...o.01; andy.I'm just doing myk....ob, noth.personal.....}rry)

> - how did sophos fill in the blanks, or did they

As discussed on the list, the files are packed with a runtime packer,
so, they have to be unpacked/dumped in order to see the unpacked data.

Best regards,
Anders


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re[2]: [Full-Disclosure] MyDoom download info.
Next by Date: [Full-Disclosure] Mydoom DDoS attack time table
Previous by thread: Re[2]: [Full-Disclosure] MyDoom download info.
Next by thread: [Full-Disclosure] Mydoom DDoS attack time table
Index(es):
- Date
- Thread