RE: [Full-Disclosure] MyDoom download info

From: first last (randnut_at_hotmail.com)
Date: 01/31/04

  • Next message: first last: "RE: [Full-Disclosure] MyDoom download info" 
    To: full-disclosure@lists.netsys.com
Date: Fri, 30 Jan 2004 23:44:14 +0000

    Spam detection software, running on the system "chex.decru.com", has
    identified this incoming email as possible spam. The original message
    has been attached to this so you can view it (if it isn't spam) or block
    similar future email. If you have any questions, see
    the administrator of that system for details.

    Content preview: > > >IE: how do you know that the behavior you see in
      the lab reflects > > >behavior in > > >the real world? (I get a kind of
      'schrodingers cat' deja vu). > > > > You can always disassemble the
      virus, which is what people > > will do if it's a real "popular" one
      such as MyDoom. > >IIRC there are viruses that are encrypted and are
      almost impossible >to disassemble? > >Would that be true? > [...]

    Content analysis details: (8.7 points, 7.5 required)

     pts rule name description
    ---- ---------------------- --------------------------------------------------
     4.3 RCVD_IN_OPM RBL: Received via a relay in opm.blitzed.org
                                [212.122.167.136 listed in opm.blitzed.org]
     4.3 RCVD_IN_OPM_HTTP RBL: OPM: sender is open HTTP CONNECT proxy
                                [212.122.167.136 listed in opm.blitzed.org]
     0.1 RCVD_IN_RFCI RBL: Sent via a relay in ipwhois.rfc-ignorant.org
                                [Inaccurate or missing WHOIS data]

    attached mail follows:

    To: full-disclosure@lists.netsys.com
Date: Fri, 30 Jan 2004 23:44:14 +0000

    > > >IE: how do you know that the behavior you see in the lab reflects
    > > >behavior in
    > > >the real world? (I get a kind of 'schrodingers cat' deja vu).
    > >
    > > You can always disassemble the virus, which is what people
    > > will do if it's a real "popular" one such as MyDoom.
    >
    >IIRC there are viruses that are encrypted and are almost impossible
    >to disassemble?
    >
    >Would that be true?
    >

    Sobig.F was packed with tElock. It's a PE file protector. It "encrypts" the
    program's code and data, and tries to detect debuggers before giving control
    to the real program. If you don't have the right tools and skills it could
    be difficult to unpack it. IIRC, it took the anti-virus companies two days
    to successfully unpack the program. All they really needed to do was dump it
    from memory while it was running and they could've analyzed it immediately
    with any disassembler.

    _________________________________________________________________
    High-speed users—be more efficient online with the new MSN Premium Internet
    Software. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: first last: "RE: [Full-Disclosure] MyDoom download info"

    Relevant Pages