[Full-Disclosure] RE: [Full-disclosure]Not into Refuting tall-tales and stories abo ut the Mydoom worms

[Joe Stewart <jstewart () lurhq com>]

On Friday 30 January 2004 12:02 pm, Clairmont, Jan wrote:
> First there is nothing in your analysis that excludes an embedded
> forth interpreter or code, 

Yes, but there IS an embedded pong game written in ADA. Can you prove 
there isn't? How about the fact that Juari already admitted there was 
no bios infection?

> second there are fingerprints for a tsr. 

Where? Offsets, please.


> Since it is an .exe and quite able to install one.  Was there a
> search to eliminate the possibility?

Even though Juari was obviously trolling, yes there was a search.


> There is plenty of unanalyzed 
> code 

How do you know what code is unanalyzed? 


> and looking at the dissassembled code there are fingerprints of
> a tsr and forth in my opinion

Where? Offsets, please. 


> Were the int calls 
> examined for suspicious behavior?  Looking at the tsr hex codes and
> forth formats there could definintely be activity there.

There are no INT calls. Are you looking at this in a 16-bit disassembler 
by any chance?


> Your analysis does not seem complete or extensive enough to rule out
> anything.

Just like I can't rule out the possibility that you and Juari are the 
same person and you are still trolling.

-Joe

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html