Re: [Full-Disc]: [Full-Disclosure] mydoom.exe decyphering?

From: Anders (CNQQTROVMYSY_at_spammotel.com)
Date: 01/31/04

Next message: Papp Geza: "Re[2]: [Full-Disclosure] MyDoom download info."

Previous message: Roland Dobbins: "Re: [Full-Disclosure] MyDoom download info"
In reply to: Danny: "[Full-Disclosure] mydoom.exe decyphering?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Danny <full-disclosure@lists.netsys.com>
Date: Sat, 31 Jan 2004 16:15:10 +0100

Hi,

> OK, this can readily be deducted somewhat from the mydoom.exe but not
> entirely. Ironically aladdin systems can find itself back in the worm's
> 'strings' output... a part of it is compressed with stuffit.

Are you looking at the files from the URLs posted yesterday? Those
were packed with stuffit before uploaded. The stuffit part is not in
the version that's ITW.

> So: (sync-1...o.01; andy.I'm just doing myk....ob, noth.personal.....}rry)

> - how did sophos fill in the blanks, or did they

As discussed on the list, the files are packed with a runtime packer,
so, they have to be unpacked/dumped in order to see the unpacked data.

Best regards,
Anders

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Papp Geza: "Re[2]: [Full-Disclosure] MyDoom download info."

Previous message: Roland Dobbins: "Re: [Full-Disclosure] MyDoom download info"
In reply to: Danny: "[Full-Disclosure] mydoom.exe decyphering?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]