Re: [Full-Disclosure] RE: [Full-Disclosure]Not into Refuting tall-tales and stories abo ut the Mydoom worms

jan.muenther_at_nruns.com
Date: 01/31/04

Next message: first last: "RE: [Full-Disclosure] MyDoom download info"

Previous message: Papp Geza: "Re[2]: [Full-Disclosure] MyDoom download info"
In reply to: Clairmont, Jan: "[Full-Disclosure] RE: [Full-Disclosure]Not into Refuting tall-tales and stories abo ut the Mydoom worms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Clairmont, Jan" <JMC13@mail3.cs.state.ny.us>
Date: Sat, 31 Jan 2004 00:47:14 +0100

> the possibility? There is plenty of unanalyzed code and looking at the
> dissassembled code there are fingerprints of a tsr and forth in my opinion,

Plenty, eh? After de-UPX-ization, this thing is about 56k.
TSR in Windows?
And where do you see the Forth traces?
Looks a heck of a lot more like VC++ to me.

> Were the int
> calls
> examined for suspicious behavior?

Int calls, eh? You're aware that this is a PE binary?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: first last: "RE: [Full-Disclosure] MyDoom download info"

Previous message: Papp Geza: "Re[2]: [Full-Disclosure] MyDoom download info"
In reply to: Clairmont, Jan: "[Full-Disclosure] RE: [Full-Disclosure]Not into Refuting tall-tales and stories abo ut the Mydoom worms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]