Full Disclosure mailing list archives
RE: MyDoom download info
From: Steve Wray <steve.wray () paradise net nz>
Date: Sat, 31 Jan 2004 13:04:30 +1300
From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of first last
[snip]
IIRC there are viruses that are encrypted and are almost impossible to disassemble? Would that be true?Sobig.F was packed with tElock. It's a PE file protector. It "encrypts" the program's code and data, and tries to detect debuggers
before [snip]
to successfully unpack the program. All they really needed to do was dump it from memory while it was running and they could've
analyzed
it immediately with any disassembler.
Forgive me, I am no assembly hacker nor much of a programmer, but would it be possible for a program to 'react' in some way were one to try to dump it from memory? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [Full-Disc]: mydoom.exe decyphering?, (continued)
- Re: [Full-Disc]: mydoom.exe decyphering? Anders (Jan 31)
- RE: MyDoom download info first last (Jan 30)
- RE: MyDoom download info Steve Wray (Jan 30)
- Re: MyDoom download info Valdis . Kletnieks (Jan 31)
- Re: MyDoom download info Paul Schmehl (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 31)
- RE: MyDoom download info Bojan Zdrnja (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 30)
- Re: MyDoom download info Puneet Arora (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 30)