Full Disclosure mailing list archives

RE: MyDoom.b samples taken down

From: "first last" <randnut () hotmail com>
Date: Mon, 02 Feb 2004 01:15:04 +0000

Just because some AV developers did not rush for the publicity
spotlight <snip>

Come on. As soon as an AV company discovers something new they tell thepress. They love free advertising. Thus we know that the finns @ F-Secure(if I'm not mistaken) were the first ones who found the IP addresses in theSobig.F virus. It took them 2 days instead of a few minutes had they justdumped the memory of the virus while it was running and disassembled it.

> I never analyzed the MyDoom.A or the MyDoom.B worms because I know the
> anti-virus companies already did that the very same day they got thevirus.> But from what I've read, the email sent by MyDoom.B is exactly the sameone
> sent by MyDoom.A. No wonder MyDoom.B never succeeded in infecting more
> machines. Even if someone on this list mistakenly got infected by thecopy> and sent out the virus to other people it's not going to make it anymore> successful than it is because it looks exactly like MyDoom.A in yourinbox.
And what made Mydoom.A _so_ successful?

There is always an element of what, for a better term, the experts
refer to as "luck".  Technically identical mass mailers suceed and fail
more or less randomly (of course, you don't see the hoards of entirely
uncessful ones we do, so you wouldn't know this.  Mydoom.B has more
chance of striking it lucky the more people run it, simply because of

This is not a case of technically similar viruses, this is a case of a twodifferent (related) viruses using the _exact_ same email message to spreadits executable code. The probabiltiy that a user clicks a MyDoom.Aattachment is the exact same probability that the same user clicks aMyDoom.B attachment. The probability that a user clicks a MyDoom attachmentmay not be (most likely is not) the same as the probability that the sameuser clicks some other virus' attachment. So for MyDoom.B to be successful,it would have to get rid of all MyDoom.A emails or use a different emailmessage.


_________________________________________________________________

Check out the coupons and bargains on MSN Offers!http://shopping.msn.com/softcontent/softcontent.aspx?scmId=1418


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: MyDoom.b samples taken down, (continued)
- - - Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
    - Re: MyDoom.b samples taken down Valdis . Kletnieks (Feb 01)
    - Re: MyDoom.b samples taken down Paul Schmehl (Feb 01)
    - Re: MyDoom.b samples taken down Valdis . Kletnieks (Feb 01)
    - Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
    - Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
    - Re: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
    - old bug - new wired Papp Geza (Feb 01)
    - Re: MyDoom.b samples taken down Kurt Weiske (Jan 31)
- RE: MyDoom.b samples taken down Brad Griffin (Feb 01)
- RE: MyDoom.b samples taken down first last (Feb 01)
  - RE: MyDoom.b samples taken down Bill Royds (Feb 01)
    - Re: MyDoom.b samples taken down Valdis . Kletnieks (Feb 01)
    - RE: MyDoom.b samples taken down Steve Wray (Feb 02)
    - RE: MyDoom.b samples taken down Steve Wray (Feb 02)
- RE: MyDoom.b samples taken down first last (Feb 01)
  - RE: MyDoom.b samples taken down Nick FitzGerald (Feb 01)
- RE: MyDoom.b samples taken down Dowling, Gabrielle (Feb 01)
  - RE: MyDoom.b samples taken down Todd Burroughs (Feb 02)