[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] MyDoom.f binary string
- To: Full Disclosure <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] MyDoom.f binary string
- From: Jason Brewer <fulldisclosure99@yahoo.com>
- Date: Wed, 25 Feb 2004 13:58:27 -0600
SMTP monitoring tests using the previous binary string were unsuccessful.
This string resulted positive in all SMTP tests (not the virus itself, but sending
emails w/ the an infected ZIP attached).
52 71 67 4E 64 65 42 4F 76 33 4F 71 4A 45 46 30
The previous tests involved SMB (copying the file to a network share).. The packet
sizes evidently ended smaller with SMTP and my original string got split over two
packets.
So.. I have no idea if either string will match when the virus tries to copy over
port 3127 (the only untested protocol), but I have rules with both strings setup and
waiting patiently.
Jason Brewer wrote:
> I was able to get my hands on two copies of the virus.. They are
> slightly different
> in size and definitely have different md5sums.
>
>
>
> I created a couple of signatures using this string that matched in both
> files:
>
> 25 E5 6C D1 3C 2B 44 53 A8 34 B0 C1 14 3F E4 37
>
>
>
> I'm monitoring ports 25, 135:139, 445, and 3127 with this signature to
> try and catch
> all methods of propagation.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html