Full Disclosure mailing list archives

RE: Mydoom

From: madsaxon <madsaxon () direcway com>
Date: Tue, 27 Jan 2004 16:37:35 -0600

At 10:08 AM 1/28/2004 +1300, Nick FitzGerald wrote:

That page does not specifically address the "zip attachment" form at
all, and to the extent that it does mention .ZIP extensions it (_quite_
incorrectly) implies that the virus' executable is simply packaged with
such an extension.  In fact, if it sends itself with a .ZIP extension,
Mydoom sends itself as a proper zip archive that contains a "stored"
(i.e. not compressed) copy of its executable.


Two of the copies I've gotten have been proper .zip archives (with
.zip extension) which contained a UPX compressed executable,
many of whose ASCII strings were further obfuscated with ROT-13.

m5x

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Mydoom Ferris, Robin (Jan 27)
- Re: Mydoom Thorolf (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom jsklein (Jan 27)
  - RE: Mydoom Nick FitzGerald (Jan 27)
    - RE: Mydoom madsaxon (Jan 27)
    - RE: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Brent J. Nordquist (Jan 27)
- Re: Mydoom Vlad Galu (Jan 27)
  - Re: Mydoom Nick FitzGerald (Jan 27)
    - Re: Mydoom Geoincidents (Jan 27)
- Re: Mydoom Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 28)
- Re: Mydoom Tal Kelrich (Jan 29)
- <Possible follow-ups>
- RE: Mydoom Remko Lodder (Jan 27)
  - RE: Mydoom Nick FitzGerald (Jan 28)