Re: [Full-Disclosure] MyDoom download info.

From: first last (randnut_at_hotmail.com)
Date: 01/31/04

  • Next message: jan.muenther_at_nruns.com: "Re: [Full-Disclosure] MyDoom download info." 
    To: full-disclosure@lists.netsys.com
Date: Sat, 31 Jan 2004 12:07:27 +0000

    > > It's still UPX packed, but it won't unpack with "UPX -d" because the
    >author
    > > used a simple UPX scrambler. Either undo what he did or unpack it
    >manually
    > > and you'll see all the code.
    >
    >It actually un-UPX-ed just fine for me. What version have you been trying?

    MyDoom.B as posted by someone else on this list. UPX -d doesn't work so you
    have to do it manually which shouldn't be a problem.

    >It disassembled nicely after that. The only other obfuscation (apart from
    >quite a bit of wild jmp'ing around) is the rot13'ed strings, which isn't,
    >erm, too challenging. Anything else?

    Anyone with basic assembler knowledge could understand MyDoom and any other
    virus.

    _________________________________________________________________
    High-speed users—be more efficient online with the new MSN Premium Internet
    Software. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: jan.muenther_at_nruns.com: "Re: [Full-Disclosure] MyDoom download info."