Re: MyDoom bios infection

[Frank Knobbe <frank () knobbe us>]

On Thu, 2004-01-29 at 14:45, Juari Bosnikovich wrote:
> It appears that what I called sooner a BIOS BackDoor is more of a
> Microsoft Windows exploit. When the infected machine boots for the
> SECOND
> time AFTER febuary 12 it is injecting a malicious program in the
> Windows
> installation that downloads a new version of Mydoom which will
> probably be
> called Mydoom.c after it's discovery.

In other words, it has nothing to do with the systems BIOS? If that was
a mishap in naming it then that's ok. Apology accepted.

> I understand the point of vue of unbeleivers but unfortunately it is
> very
> CLEAR to me that they did not conduct their own research concerning
> this
> VERY destructive virus.

Personally, I don't believe or disbelieve anyone since I haven't looked
at that virus. But I have two things to say:

1) Anyone doing disassembly/analysis of any sort of thing has to be more
precise in the analysis and not jump to conclusions. 

2) (and in reply to)
> As a reminder to the various persons which contacted me privately via
> email and to whom I shared more information PLEASE keep it private.

Full Disclosure is a about... uhm... Full Disclosure. Please don't tease
us with the things you may have found without publicly disclosing and
sharing information.

I understand that in certain cases you don't want the public to know
(for example, when you analyze code and share information with folks,
including LEOs, where that information might lead to an arrest, or for
other reasons that require confidentiality). Full Disclosure was and is
about disclosing bugs in vendor provided software. I don't think it was
intended as an analyze-fraud type forum. If you like to contribute to
that, contact your local Infragard chapter or law enforcement agency or
the like, and operate outside of public view.

If you want to dissect viruses to help the community and public at
large, and you want to do this here (instead of quietly with AV
vendors), then please share and disclose the information.

Can we stop all that chest-pounding and return to normal FD business?
I'll go first: Anyone find the IE exploit of the day yet? ;)

Cheers,
Frank


PS: This rant is not directed against Juari Bosnikovich. I applaud his
motivation and effort to dissect the virus. My rant is against those
that proclaim they found information without sharing it. FD is not the
right place for those folks.

Attachment: signature.asc
Description: This is a digitally signed message part