Full Disclosure mailing list archives

Re: MyDoom bios infection

From: "Ian Latter" <Ian.Latter () mq edu au>
Date: Fri, 30 Jan 2004 08:10:48 +1000


Sorry Juari,

It appears that what I called sooner a BIOS BackDoor is more of a
Microsoft Windows exploit.


.. but you've lost all credibility.



----- Original Message -----

From: "Juari Bosnikovich" <juarib () m-net arbornet org>
To: "Frank Knobbe" <frank () knobbe us>
Subject:  Re: [Full-disclosure] MyDoom bios infection
Date: Thu, 29 Jan 2004 15:45:15 -0500



On Thu, 29 Jan 2004, Frank Knobbe wrote:

On Thu, 2004-01-29 at 03:14, Ferris, Robin wrote:

It was also unknown that the virus infects the BIOS of the computer it
infects by injecting a 624bytes backdoor written in FORTH which will open
port tcp when Mydoom will be executed AFTER febuary 12.


Although code in BIOS could interact with your network card, it would
require the correct driver routines for your particular card. Does the
virus come with network card drivers for a variety of cards? No? Then
BIOS code won't open a TCP port.


I had the same thought at first and conducted an experiment.

Using a clean Windows Server 2003 32 bit Edition on a machine with a
network adapter using the realtek 8139 chip I installed the virus and
setted the date to Febuary 11 11:50 and shutted it down after making sure
the virus has been successfully installed.

Most of you would agree with me if I would say that nothing happened when
I rebooted the machine but this is FAR from being what happened.

It appears that what I called sooner a BIOS BackDoor is more of a
Microsoft Windows exploit. When the infected machine boots for the SECOND
time AFTER febuary 12 it is injecting a malicious program in the Windows
installation that downloads a new version of Mydoom which will probably be
called Mydoom.c after it's discovery.

I understand the point of vue of unbeleivers but unfortunately it is very
CLEAR to me that they did not conduct their own research concerning this
VERY destructive virus.

As a reminder to the various persons which contacted me privately via
email and to whom I shared more information PLEASE keep it private.

                                      Juari Bosnikovich

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


--
Ian Latter
Internet and Networking Security Officer
Macquarie University

 Meet me at the Australian Unix and open systems
   User Group (AUUG) Security Symposium; 2004
  http://www.auug.org.au/events/2004/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

MyDoom bios infection Ferris, Robin (Jan 29)
- Re: MyDoom bios infection Frank Knobbe (Jan 29)
  - Re: MyDoom bios infection Ben Nelson (Jan 29)
    - Re: MyDoom bios infection Frank Knobbe (Jan 29)
  - Re: MyDoom bios infection Juari Bosnikovich (Jan 29)
    - Re: MyDoom bios infection Frank Knobbe (Jan 29)
- <Possible follow-ups>
- Re: MyDoom bios infection Ian Latter (Jan 29)
  - RE: MyDoom bios infection Dan Bolton (Jan 29)