mailing list archives
RE: RE: Any dissasemblies of the Witty worm yet?
From: "Hugh Mann" <hughmann () hotmail com>
Date: Sun, 21 Mar 2004 17:10:08 +0000
From: "Disclosure From OSSI" <disclosure () ossecurity ca>
From the quick analysis of this worm (retrieved from
http://isc.incidents.org/diary.html?date=2004-03-20), it seems that it
strange similarity with SQL Slammer for the following points:
1. It uses the same "push ascii" format as SQL Slammer, for example "push
6B636F73h" in this worm.
I can tell you the names of about 100 different programmers who use push
ascii in their expoits. This is common exploit code just like using "i" as
the loop variable in C/C++.
2. It uses hard-coded import addresses (listed below) as SQL Slammer.
I can tell you the names of about 100 different programmers who use
hardcoded addresses in their expoits. This is common exploit code just like
using "i" as the loop variable in C/C++.
3. If someone can trace the origin of this worm, it might shed light on the
origin of SQL Slammer as well?
Definitely a big NO.
MSN Toolbar provides one-click access to Hotmail from any Web page FREE
Full-Disclosure - We believe in it.