Full Disclosure mailing list archives
Re: Mydoom
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 28 Jan 2004 00:57:09 +1300
"Ferris, Robin" <R.Ferris () napier ac uk> wrote:
Does any one know what the size of the attachment is when is comes in as a zip file?
Yes and no. Or, more helpfully, it is not a fixed size. The size of the .ZIP depends on the length of the randomly selected filename that the sending instance of Mydoom chooses for the copy inside the .ZIP. That filename is included twice in the .ZIP -- once in the header at the beginning of the stream of packed data for the file and once in the "central directory" at the end of the .ZIP. ... BTW, if anyone is filtering on file size, you will almost certainly miss some copies of this (and other malware too). I don't get large enough volumes of these things in my personal Email to do a suitable analysis, but I've seen stats from places like MessageLabs (perhaps Alex is reading and can post something on this??) showing interesting file size distributions for various of these monolithic replicators; passage through the Email system is not necessarily kind (aka "bit perfect") to them. Now add the cases where the new self-mailer gets infected with a parasitic PE infector that expands an existing PE section, or adds one to the file. This is then seen by a not yet updated scanner that happily disinfects the self-mailer of the parasitic virus, but not knowing the new self-mailer leaves it to continue on its travels. (Why any system admin would be so brain-dead as to _want_ to allow any kind of attachment known to have come from a "probably infected" machine in/out of their network is entirely beyond reason anyway...) As many parasitic viruses cannot be "perfectly" removed (in the sense that the infected host cannot be rendered back into a bit-perfect replica of its pre-infection self) and disinfected files can even be left a different size from their original state, the copy of the self-mailer that spreads after such an encounter with an imperfect disinfector will be a physically different file, so simple hash-like detection and file size detection will fail for some samples. By way of example, in the approx 40 Mydoom samples I have received as the result of its natural replication and spread in the last 12 hours or so, all but one decode to the commonly cited 22,528 byte file size. The odd one out has, for some unknown (but vaguely imaginable) reason "picked up" two extra bytes -- a pair of 0xFF characters added to the end of the file. Because of the way Mydoom spreads, such non-fatal modifications to its .EXE file will be reproduced in future copies of the virus should this modified sample successfully replicate on some other potential victim machine. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Mydoom Ferris, Robin (Jan 27)
- Re: Mydoom Thorolf (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom jsklein (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom madsaxon (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Brent J. Nordquist (Jan 27)
- Re: Mydoom Vlad Galu (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Geoincidents (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 28)
- Re: Mydoom Tal Kelrich (Jan 29)