mailing list archives
Re: mydoom.c information
From: m.mohr () laposte net
Date: Sun, 7 Mar 2004 14:01:01 -0800 (PST)
See comments inserted in reply:
On Sun, 7 Mar 2004, morning_wood wrote:
bascially looking for sync-src-1.00.tbz. That message was posted to this
avail on infected hosts
The whole point is that I don't *want* to be infected. I don't have an
infected host because I am a good admin. I want to obtain a copy of the
source code, not the binary virus.
This is how I came to be in possession of it:
nc -l -p 3127 > doomjuice.dump
You will probably want to write a
loop to restart netcat because it exits after a successful transfer.
nc -L -p 3127 > out.txt note: " -L " will not exit your listener,
as it is for a persistant listener.
Okay. Strangely enough, my version of netcat doesn't have an option "L":
bash-2.05b$ nc -L
nc: invalid option -- L
nc -h for help
Additionally, the whole point of writing a script is that I actually
*want* my listener to exit so that it can be called again and write to a
new file, thus separating infection attempts cleanly. This removes the
need for me to comb through a huge dump and guess where each virus
begins and ends. E.g.:
x=0; while true; do x=$((x+1)); nc -l -p 3127 > 3127.$x; done
Thanks for the link ... I wish I had been able to find this earlier, it
would have helped me quite a bit. Although the bit about intentionally
infecting oneself doesn't exactly make me want to jump for joy.
as i do not wish to type-iterate.
In any case, thank you for your reply!
P.S. I visited your website and it has some good information on it. One
thing really needs to change though IMHO: Flash isn't cool. If I can't
see it in lynx, I generally don't want to see it.
Full-Disclosure - We believe in it.