Full Disclosure mailing list archives
Re: MyDoom bios infection
From: "Ian Latter" <Ian.Latter () mq edu au>
Date: Fri, 30 Jan 2004 08:10:48 +1000
Sorry Juari,
It appears that what I called sooner a BIOS BackDoor is more of a Microsoft Windows exploit.
.. but you've lost all credibility. ----- Original Message -----
From: "Juari Bosnikovich" <juarib () m-net arbornet org> To: "Frank Knobbe" <frank () knobbe us> Subject: Re: [Full-disclosure] MyDoom bios infection Date: Thu, 29 Jan 2004 15:45:15 -0500 On Thu, 29 Jan 2004, Frank Knobbe wrote:On Thu, 2004-01-29 at 03:14, Ferris, Robin wrote:It was also unknown that the virus infects the BIOS of the computer it infects by injecting a 624bytes backdoor written in FORTH which will open port tcp when Mydoom will be executed AFTER febuary 12.Although code in BIOS could interact with your network card, it would require the correct driver routines for your particular card. Does the virus come with network card drivers for a variety of cards? No? Then BIOS code won't open a TCP port.I had the same thought at first and conducted an experiment. Using a clean Windows Server 2003 32 bit Edition on a machine with a network adapter using the realtek 8139 chip I installed the virus and setted the date to Febuary 11 11:50 and shutted it down after making sure the virus has been successfully installed. Most of you would agree with me if I would say that nothing happened when I rebooted the machine but this is FAR from being what happened. It appears that what I called sooner a BIOS BackDoor is more of a Microsoft Windows exploit. When the infected machine boots for the SECOND time AFTER febuary 12 it is injecting a malicious program in the Windows installation that downloads a new version of Mydoom which will probably be called Mydoom.c after it's discovery. I understand the point of vue of unbeleivers but unfortunately it is very CLEAR to me that they did not conduct their own research concerning this VERY destructive virus. As a reminder to the various persons which contacted me privately via email and to whom I shared more information PLEASE keep it private. Juari Bosnikovich _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Ian Latter Internet and Networking Security Officer Macquarie University Meet me at the Australian Unix and open systems User Group (AUUG) Security Symposium; 2004 http://www.auug.org.au/events/2004/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MyDoom bios infection Ferris, Robin (Jan 29)
- Re: MyDoom bios infection Frank Knobbe (Jan 29)
- Re: MyDoom bios infection Ben Nelson (Jan 29)
- Re: MyDoom bios infection Frank Knobbe (Jan 29)
- Re: MyDoom bios infection Juari Bosnikovich (Jan 29)
- Re: MyDoom bios infection Frank Knobbe (Jan 29)
- Re: MyDoom bios infection Ben Nelson (Jan 29)
- <Possible follow-ups>
- Re: MyDoom bios infection Ian Latter (Jan 29)
- RE: MyDoom bios infection Dan Bolton (Jan 29)
- Re: MyDoom bios infection Frank Knobbe (Jan 29)