Full Disclosure: Re: [Full-Disc]: mydoom.exe decyphering?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: [Full-Disc]: mydoom.exe decyphering?

From: Anders <CNQQTROVMYSY () spammotel com>
Date: Sat, 31 Jan 2004 16:15:10 +0100

Hi,

OK, this can readily be deducted somewhat from the mydoom.exe but not
entirely. Ironically aladdin systems can find itself back in the worm's
'strings' output... a part of it is compressed with stuffit.


Are you looking at the files from the URLs posted yesterday? Those
were packed with stuffit before uploaded. The stuffit part is not in
the version that's ITW.

So: (sync-1...o.01; andy.I'm just doing myk....ob, noth.personal.....}rry)

- how did sophos fill in the blanks, or did they


As discussed on the list, the files are packed with a runtime packer,
so, they have to be unpacked/dumped in order to see the unpacked data.

Best regards,
Anders


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Re: MyDoom download info, (continued)
- mydoom.exe decyphering? Danny (Jan 31)
  - Re: [Full-Disc]: mydoom.exe decyphering? Anders (Jan 31)
- RE: MyDoom download info first last (Jan 30)
  - RE: MyDoom download info Steve Wray (Jan 30)
    - Re: MyDoom download info Valdis . Kletnieks (Jan 31)
    - Re: MyDoom download info Paul Schmehl (Jan 31)
    - RE: MyDoom download info Steve Wray (Jan 31)