Full Disclosure mailing list archives
[Full-Disclosure] RE: [Full-disclosure]Not into Refuting tall-tales and stories abo ut the Mydoom worms
From: "Clairmont, Jan" <JMC13 () mail3 cs state ny us>
Date: Fri, 30 Jan 2004 12:02:38 -0500
First there is nothing in your analysis that excludes an embedded forth interpreter or code, second there are fingerprints for a tsr. Since it is an .exe and quite able to install one. Was there a search to eliminate the possibility? There is plenty of unanalyzed code and looking at the dissassembled code there are fingerprints of a tsr and forth in my opinion, I am waiting on Mydoom.2 for any other unseen exploits. Were the int calls examined for suspicious behavior? Looking at the tsr hex codes and forth formats there could definintely be activity there. Your analysis does not seem complete or extensive enough to rule out anything. Jan Clairmont -----Original Message----- From: Gadi Evron [mailto:ge () egotistical reprehensible net] Sent: Friday, January 30, 2004 10:40 AM To: bugtraq () securityfocus com Cc: full-disclosure () lists netsys com Subject: [Full-disclosure] Refuting tall-tales and stories about the Mydoom worms The document contains information and reverse engineering bits of the Mydoom worms, refuting claims and rumors about them with facts. It updates http://www.math.org.il/newworm-digest1.txt. Also, we provide proof within the document of the DDoS attack that many in the world now report does not happen. along with a time table for the attack. You can find our document at: http://www.math.org.il/mydoom-facts.txt Gadi Evron. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] RE: [Full-disclosure]Not into Refuting tall-tales and stories abo ut the Mydoom worms Clairmont, Jan (Jan 30)