Full Disclosure mailing list archives
RE: Mydoom
From: madsaxon <madsaxon () direcway com>
Date: Tue, 27 Jan 2004 16:37:35 -0600
At 10:08 AM 1/28/2004 +1300, Nick FitzGerald wrote:
That page does not specifically address the "zip attachment" form at all, and to the extent that it does mention .ZIP extensions it (_quite_ incorrectly) implies that the virus' executable is simply packaged with such an extension. In fact, if it sends itself with a .ZIP extension, Mydoom sends itself as a proper zip archive that contains a "stored" (i.e. not compressed) copy of its executable.
Two of the copies I've gotten have been proper .zip archives (with .zip extension) which contained a UPX compressed executable, many of whose ASCII strings were further obfuscated with ROT-13. m5x _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Mydoom Ferris, Robin (Jan 27)
- Re: Mydoom Thorolf (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom jsklein (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom madsaxon (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Brent J. Nordquist (Jan 27)
- Re: Mydoom Vlad Galu (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Geoincidents (Jan 27)
- Re: Mydoom Nick FitzGerald (Jan 27)
- Re: Mydoom Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 28)
- Re: Mydoom Tal Kelrich (Jan 29)
- <Possible follow-ups>
- RE: Mydoom Remko Lodder (Jan 27)
- RE: Mydoom Nick FitzGerald (Jan 28)