Full Disclosure mailing list archives
RE: Mydoom
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 28 Jan 2004 18:37:42 +1300
madsaxon <madsaxon () direcway com> to me:
That page does not specifically address the "zip attachment" form at all, and to the extent that it does mention .ZIP extensions it (_quite_ incorrectly) implies that the virus' executable is simply packaged with such an extension. In fact, if it sends itself with a .ZIP extension, Mydoom sends itself as a proper zip archive that contains a "stored" (i.e. not compressed) copy of its executable.Two of the copies I've gotten have been proper .zip archives (with .zip extension) which contained a UPX compressed executable, many of whose ASCII strings were further obfuscated with ROT-13.
Dude, read what I said... ...if it sends itself with a .ZIP extension... That is, of the options it has for sending itself, if it chooses the the zip archive option... Keep up with the program! -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Mydoom Ferris, Robin (Jan 27)
- Re: Mydoom Thorolf (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom jsklein (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom madsaxon (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Brent J. Nordquist (Jan 27)
- Re: Mydoom Vlad Galu (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Geoincidents (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 28)
- Re: Mydoom Tal Kelrich (Jan 29)
- <Possible follow-ups>
- RE: Mydoom Remko Lodder (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 28)