Full Disclosure mailing list archives

RE: MyDoom download info

From: Steve Wray <steve.wray () paradise net nz>
Date: Sat, 31 Jan 2004 13:04:30 +1300

From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
first last

[snip]


IIRC there are viruses that are encrypted and are almost impossible
to disassemble?

Would that be true?


Sobig.F was packed with tElock. It's a PE file protector. It 
"encrypts" the program's code and data, and tries to detect debuggers

before 
[snip]

to successfully unpack the program. All they really needed to 
do was dump it from memory while it was running and they could've

analyzed

it immediately with any disassembler.


Forgive me, I am no assembly hacker nor much of a programmer, 
but would it be possible for a program to 'react' in some way
were one to try to dump it from memory?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: [Full-Disc]: mydoom.exe decyphering?, (continued)
- - Re: [Full-Disc]: mydoom.exe decyphering? Anders (Jan 31)
- RE: MyDoom download info first last (Jan 30)
  - RE: MyDoom download info Steve Wray (Jan 30)
    - Re: MyDoom download info Valdis . Kletnieks (Jan 31)
    - Re: MyDoom download info Paul Schmehl (Jan 31)
    - RE: MyDoom download info Steve Wray (Jan 31)
    - RE: MyDoom download info Bojan Zdrnja (Jan 31)
- RE: MyDoom download info first last (Jan 30)
  - Re: MyDoom download info Puneet Arora (Jan 31)
- RE: MyDoom download info first last (Jan 30)
  - RE: MyDoom download info Steve Wray (Jan 30)