Full Disclosure mailing list archives
RE: MyDoom download info
From: "first last" <randnut () hotmail com>
Date: Fri, 30 Jan 2004 23:44:14 +0000
> >IE: how do you know that the behavior you see in the lab reflects > >behavior in > >the real world? (I get a kind of 'schrodingers cat' deja vu). > > You can always disassemble the virus, which is what people > will do if it's a real "popular" one such as MyDoom. IIRC there are viruses that are encrypted and are almost impossible to disassemble? Would that be true?
Sobig.F was packed with tElock. It's a PE file protector. It "encrypts" the program's code and data, and tries to detect debuggers before giving control to the real program. If you don't have the right tools and skills it could be difficult to unpack it. IIRC, it took the anti-virus companies two days to successfully unpack the program. All they really needed to do was dump it from memory while it was running and they could've analyzed it immediately with any disassembler.
_________________________________________________________________High-speed usersbe more efficient online with the new MSN Premium Internet Software. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- mydoom.exe decyphering?, (continued)
- mydoom.exe decyphering? Danny (Jan 31)
- Re: [Full-Disc]: mydoom.exe decyphering? Anders (Jan 31)
- RE: MyDoom download info first last (Jan 30)
- RE: MyDoom download info Steve Wray (Jan 30)
- Re: MyDoom download info Valdis . Kletnieks (Jan 31)
- Re: MyDoom download info Paul Schmehl (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 31)
- RE: MyDoom download info Bojan Zdrnja (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 30)
- mydoom.exe decyphering? Danny (Jan 31)
- Re: MyDoom download info Puneet Arora (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 30)