mailing list archives
From: m.mohr () laposte net
Date: Sat, 6 Mar 2004 19:40:24 -0800 (PST)
I recently read somewhere that mydoom.c included the source code for the a
variant. Being the curious type, I wanted to see it. During my research,
I came across a post from a professor in the same situation as I was,
bascially looking for sync-src-1.00.tbz. That message was posted to this
list, and so after successfully obtaining this source I thought I might
share my trek.
This is how I came to be in possession of it:
The mydoom virus listens on tcp port 3127. It will accept and execuate a
binary streamed to it if the binary is prefixed with bytes 85 13 3c 9e a2.
doomjuice spreads by 'updating' hosts already infected with previous
versions of mydoom. If you want to obtain a copy, you probably need to
catch a copy in the wild. To do so, you can set up a listener like this:
nc -l -p 3127 > doomjuice.dump
Remember that the netcat dump contains control codes for mydoom, so the
dumps will be 5 bytes larger than the sizes listed below. Remove these
bytes or take them into account. There are a few variants out with these
36,864 doomjuice.a (contains mydoom.a source code)
doomjuice / mydoom is packed with UPX, so download a copy of UPX and
decompress the file before starting work on it.
The uncompressed version of doomjuice.a is 43,008 bytes. The mydoom.a
source code starts at byte 1232 (0x04d0) and is 28,569 bytes long. It's
name is sync-src-1.00.tbz. The archive can be extracted thus:
dd if=doomjuice.a of=sync-src-1.00.tbz bs=1 skip=1232 count=28569
With the huge proliferation of infected hosts out there, it shouldn't be
too long before your IP is contacted. You will probably want to write a
loop to restart netcat because it exits after a successful transfer.
Full-Disclosure - We believe in it.
- mydoom.c information m . mohr (Mar 07)