Re: information and reverse engineering bits of the Mydoom worm
From: Markus Zingg (m.zingg_at_nct.ch)
Date: 01/29/04
- Next message: Mike Maz: "Re: Security for individual items"
- Previous message: BLH: "Re: Encryption Software for PDAs"
- Maybe in reply to: Gadi Evron: "information and reverse engineering bits of the Mydoom worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jan 2004 11:17:43 +0100
On Thu, 29 Jan 2004 00:34:21 +0200, Gadi Evron <ge@linuxbox.org>
wrote:
> >Was this after you decompressed it from its UPX packed data? Strings
> >compress really well with UPX and thus, it all looks like
> > gibberish.
>
>Nicolas Brulez posted a reply on alt.comp.security and comp.security.misc:
>http://groups.google.com/groups?selm=bv8ebc%24mqp%241%40biggoron.nerim.net&oe=UTF-8&output=gplain
>
> Gadi Evron.
Hmm, I think we are not talking about the same thing. I therefore
thought it's best to show some raw text of an example of the e-mail.
The message text part - not the binary attachement - is what I'm
talking about and in all other variants the message text in fact
contains the strings as seen in the disasembly. I do more tend to
agree with another poster here that the worm - either intentionally or
due to a bug - uses some parts of itself as text which gives the
apearance. Note that there are different variants of this floating
around. I'm basically searching for some easy to catch pattern for
this thing...
Markus
<----- cut here ------>
Return-Path: <xxxxx@xxxxxxxx.com> <- I munged this address
Received: from pirinenc.com ([81.44.90.119])
by nct.ch ([192.168.174.25]) with ESMTP
id 000044d0-16-021bd7c4; Thu, 29 Jan 2004 08:28:25 +0100
From: xxxxx@xxxxxxxx.com
To: m.zingg@nct.ch
Subject: Mail Delivery System
Date: Thu, 29 Jan 2004 08:27:26 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0004_9A71E5F3.39963C16"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
------=_NextPart_000_0004_9A71E5F3.39963C16
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Š(›4ƒ›\?f
½²&ù»Ü…heªjJº3q#¦ÅûÆl²†–IÍÆr‚
š“o.ÁѤ¯}JÙq¿Bei®©–Žëü
°qï4ÝRÚ
öV:ñuVk½ð½l? ÷hç8ųºAik¤ùµš'e5æ°ï4x(·ø|’ϸ0¸q(¹e¼.^Ëv|å
×&Y¹åK“?èè’òŒ‚3tµ¢10“¨?;ÐŽ3ð1PÜU¼%†y´Ve/ºÒ_XAG$ÒÂNJ7µî¹DT‘ßÀ)YŽ´V½aC¬^I·/yˆ<74ª›á\¿‘ÞÜZîH“PyR{ð¾–‡|\Ý_uçA_rd³û?z]‰h“
ñèŸÍúÚ[l·¸?¬IÝT’ZÂq£Êh&\{'Ù`žTÛW1?¿©\‚#tÀZ5ty¥ACóžÏÎYÂßK¨ƒßý[fЃ!”W?´„õÝ͹?NÌ~±p?ÓïëX3§z¾fîøP`¬!ceä¡mi‚Î^N¼Ë‰ßžB¢â[?™ÉSêŠõ‹y¤ÊŽudõCÞ»©Ñ×SšNܼQŽé?Yô5—LrD_w~¨m®Ýc
*ê£OÇ\àÙ“¦H NÊoKñ¸’•Î°¬¨PÔ ZÞ|áÏÖ½`”;/¾µ>¥,1¥•ìÇãƒdZ]h£?—¸
Àc?!YRáŒ^ܲ¬†aÇŒí¸grF
š(êgăƒ ܯ§-òñ‰MKó{ž>" EU…Ë×Ak”ˆ—Û¾Ûvmˆ?ÔR^’™Ñøo³:Yѽ»‰¨÷,(œ.$“Œ‘ñå|
´_
žÚ¹?nÆ”ÓFÏ5Öô£/DÔŒGºw?í5é¢vª°ÄAjPEkøÏ“9»¢fÙV%fÛÎÛ8ÔïU›¿ä2ü¹q´2†
ßÏË×1ßZy°ùŸ|uÚª>a˜¬9}???û¬?Ð ûÆûf›5wÝLá…Ôï*¾5
‚Ïb/.qˆ¡ìÓî–XüÐ:'—½IÀ¥ì†$„éŒMgÏS9Qx6y¡
RÊ°Ž?¹
â“Jøí›ØA$¾7ƒõÐñÛÙé°©IÓÔÎa-?Û8×3Ú%NßnÙ|Ò[ãö[”*Ú …7îFöÄ<¦ò¿ã
(Ü{«,"2âüq½½PXGàlƒ¶š
†³Ág5ðeŒÛÑ!#éuº .coGÄÓ\ñ[ #ÜäÊf(sŠ¶®ªPá#I„¾ó¾÷„СNRÆN¸;ËKé
:ü†Iñûô–ed°öY éêËÆQÂö&H~??En‡Ž{вvàˆ)»®ŸXä¾/gĵ£ÍTø-?ßÌø¿·.™,%7¢Æi™sôU¦§µnitxÌM2AΈ
-É:jB¸`:•??9Ro\À*ZâmUJ9º¥¡ÎÔ³GáàÖÝ04ÀÁU!qVŒ¦
¾´ ANî„i´#´ž¦û(¿½å|*÷”nD5~cö¼]á,¶°¦°9Lêý"¢mv¹0?-Â`RötòA"3XŹ?kaÃV³âÇ|ÑFÀH*&\ix‹¦R©ê
^Jl´?¼¹˜Â;m(Ô‹'jŽâ<fÒ9ö/4
Í#~#¨wfËßPKjDšOª&Xék*’
–âÀéÎñd‘Ðzxê—Ñ8ŽÒã⯢ý“¦Ôïâ2ě֥Jeð
?l‡Qe¸f½„û iM-‚Y}êY±¹žŸN2vR2аÂÊlVOGâu Í<hßí£(PëV%*%ÂzøÕàÜG*Î
—¡~•'‡;Ó%fFwjê“›?úàüY©}
ZÄ”6¢(q
9°Œ(GYLV7ã˜ÌrˆôÐÅcFV׎“69øáѤ1Æ^TÀö–Y»É#
j÷!E¬ÀiG¢Xâ1;„׆rM”/ÇnÖÕBåvw¹$^hD¿ëøc¾vd;ùk«h”Órü
×ÍP ¨qk?µ>¼
L…Л¯ºk¾ïÈ%®Ù^{Ó‰°‰6×ÇBm°¥¤ò§•"W
›Ë«æ"Ãx¯w|'Dó™W®É“í
ºsþûë]á¡;ª›ÜÐöÛb)Ghdߣï?3I6`°ö±2iíFŽ¹'Q¬Ç\(3H?°î}ÍjÚ??ŒÁ$<Ô d|ѨÉèg¾/?Mû#©Ï®w&ßM\þà?ôXÞt“è&Àß?pº¦±{¸MZ[üâÍ;'øæx
&YFè´v£¸úÀ^ð"QËŠlð%¢†ðw}y“$¤Î¯ƒÑ{BÏ‘·¥µ¥
ó[^ÝÄk‚{¿qUp‚×cž¬RiѱµOÅÝã&:©ÚQ˜s
(z-RÙ*ÝL!,¾t>mÖ¿'˜x§kŒqƒýòÀLvd0<¥ó}ÚŒø?Üy~5mèº:ÂnëBÜú1•(l"˜"‡‰Ú^‘
l?(?þ©ƒ›å¿“b(Lž?°??SÊȨ̀–óD?VDæa,Õmp;(a
̇…2Gæ<à¯FêU¸Lò†üß
71ˆØdï¾Þ7$?g(Ä-ƒš¤®¯7»®ç²~.0«…nPýv鸖iÄÓ<kè”R4®ÑʋʺãÌ•Óªº‚»EºpšŸ;\0Â'5;”tUæ
ä-ÊhÄQ´
ò˜Op~Ž¤Å
뢲>A©ã¡Šin«X„ú?È–¨§ÎÀÈ¥w|#ßæ©$W‹(Pu§
N„W‘ápL2œ `Úȶ™~ªX±ÔNbC%äÜÞ÷3:ò&`e
´l/Ö™%r¾ZŽì(ÞEü!I??Eg·›si¯gÛ3HRðs{E9˜_·†N˜W?ÀK¢å©ê ºŽðqBÎQº¾_\EâAeµÀÒô8¡rAô|QÌlïä»ÅoSç„Þ¾#X¢‰õ‘.
&ä!|i¹ ‡JÏ.–}Ûφú/ë{{ìÂçVY
x?ûŠQ¯K?ú?9Ì ‘~˜»;ã?gW…0ßóp:¿[îpŒ2{T
§è^UÃÜäþFÀ×aà ÅIp0j?H‰SHÁ‡†oàüöãî8X‰q:¡Ö`Vˆ†?d8–RD–5q-2…Ç)Ÿ3PTŠmæaÉ9¿½Í4I]ü®w˳J즿?ƒì¤Æ
{YÃx•Ha?|c`·|¬‰'`ìAiqnaR{d
/”:c6mäÄ(EÄl“Æ„Ž¥èB•¦1s®úǘÌ^ÏÁñ…òçùcY7^Š·4a„8|1•³è(1?wj×îdFÊ1$â„X\èçT¨}Ú`
|sr䓲T(?ºq¨Ç;•¹ÊÎI86³#ÉÙ§&pÕâé
------=_NextPart_000_0004_9A71E5F3.39963C16
Content-Type: application/octet-stream;
name="doc.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="doc.zip"
<----- cut here ------>
Note, below here follows the real payload of the worm, so what you see
above is the TEXT area of the mail.
Hope this cleared things up...
Markus
- Next message: Mike Maz: "Re: Security for individual items"
- Previous message: BLH: "Re: Encryption Software for PDAs"
- Maybe in reply to: Gadi Evron: "information and reverse engineering bits of the Mydoom worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
