Full Disclosure mailing list archives
Re: Re: Re: DoomJuice.A, Mydoom.A source code
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 12 Feb 2004 01:25:01 +1300
"Filipe A." <incognito () patria ath cx> wrote:
I've done that and after 12 hours I had about 27 files. 8 of them were unique both in size and content. ...
^^^^^^^^^^^^^^^^^^^^^^^^ Is that not tautological? Or were you trying to say that none of these 8 are truncated copies of longer files in the set?
... I've identified the one that drops the .tbz with source code ...
Doomjuice.A
... but that leaves me with another 7 different files. Question is, how many things are out there piggybacking on mydoom's backdoor? ...
Assuming none of these seven are truncated copies of Doomjuice, don't forget there are a few copies of Mydoom.B out there looking for Mydoom.A backdoors. These can be truncated too... Other things I've seen being poked through Mydoom's backdoor include a couple of new downloaders, a short PE (around 5KB) that _may_ be a simple reverse shell and/or Mydoom process killer (i.e. some kind "strike back" -- I've not had time to analyse this one yet) and simply the five byte command that instructs Mydoom's backdoor to "drop to a file and execute the following data stream" (my guess here is that someone thinks it is necessary to send this command to establish whether the port is properly listening, so unnecessarily coded it into a scanner).
... And now the source code is public many more will emerge in the next few days...
Charming, eh?? -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- DoomJuice.A, Mydoom.A source code Riad S. Wahby (Feb 09)
- Re: DoomJuice.A, Mydoom.A source code Nick FitzGerald (Feb 09)
- Re: DoomJuice.A, Mydoom.A source code Riad S. Wahby (Feb 09)
- Re: Re: DoomJuice.A, Mydoom.A source code Frank Knobbe (Feb 10)
- RE: [inbox] Re: Re: DoomJuice.A, Mydoom.A source code Curt Purdy (Feb 10)
- Re: Re: DoomJuice.A, Mydoom.A source code Riad S. Wahby (Feb 10)
- Re: Re: Re: DoomJuice.A, Mydoom.A source code Papp Geza (Feb 10)
- Re: Re: Re: DoomJuice.A, Mydoom.A source code Filipe A. (Feb 10)
- Re: Re: Re: DoomJuice.A, Mydoom.A source code Nick FitzGerald (Feb 11)
- Re: Re: Re: DoomJuice.A, Mydoom.A source code Filipe A. (Feb 11)
- Re: DoomJuice.A, Mydoom.A source code Riad S. Wahby (Feb 09)
- Re: DoomJuice.A, Mydoom.A source code Nick FitzGerald (Feb 09)
- <Possible follow-ups>
- RE: Re: DoomJuice.A, Mydoom.A source code Nick Jacobsen (Feb 10)