RE: [Full-Disclosure] Mydoom
From: madsaxon (madsaxon_at_direcway.com)
Date: 01/27/04
- Previous message: Remko Lodder: "RE: [Full-Disclosure] Mydoom"
- In reply to: Nick FitzGerald: "RE: [Full-Disclosure] Mydoom"
- Next in thread: Nick FitzGerald: "RE: [Full-Disclosure] Mydoom"
- Reply: Nick FitzGerald: "RE: [Full-Disclosure] Mydoom"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 27 Jan 2004 16:37:35 -0600
At 10:08 AM 1/28/2004 +1300, Nick FitzGerald wrote:
>That page does not specifically address the "zip attachment" form at
>all, and to the extent that it does mention .ZIP extensions it (_quite_
>incorrectly) implies that the virus' executable is simply packaged with
>such an extension. In fact, if it sends itself with a .ZIP extension,
>Mydoom sends itself as a proper zip archive that contains a "stored"
>(i.e. not compressed) copy of its executable.
Two of the copies I've gotten have been proper .zip archives (with
.zip extension) which contained a UPX compressed executable,
many of whose ASCII strings were further obfuscated with ROT-13.
m5x
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Remko Lodder: "RE: [Full-Disclosure] Mydoom"
- In reply to: Nick FitzGerald: "RE: [Full-Disclosure] Mydoom"
- Next in thread: Nick FitzGerald: "RE: [Full-Disclosure] Mydoom"
- Reply: Nick FitzGerald: "RE: [Full-Disclosure] Mydoom"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
