Full Disclosure mailing list archives
Re: MyDoom download info.
From: "first last" <randnut () hotmail com>
Date: Sat, 31 Jan 2004 12:07:27 +0000
> It's still UPX packed, but it won't unpack with "UPX -d" because the author > used a simple UPX scrambler. Either undo what he did or unpack it manually> and you'll see all the code. It actually un-UPX-ed just fine for me. What version have you been trying?
MyDoom.B as posted by someone else on this list. UPX -d doesn't work so you have to do it manually which shouldn't be a problem.
It disassembled nicely after that. The only other obfuscation (apart from quite a bit of wild jmp'ing around) is the rot13'ed strings, which isn't, erm, too challenging. Anything else?
Anyone with basic assembler knowledge could understand MyDoom and any other virus.
_________________________________________________________________High-speed usersbe more efficient online with the new MSN Premium Internet Software. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MyDoom download info. Feher Tamas (Jan 31)
- <Possible follow-ups>
- RE: MyDoom download info. first last (Jan 31)
- Re: MyDoom download info. jan . muenther (Jan 31)
- Re: MyDoom download info. first last (Jan 31)
- Re: MyDoom download info. jan . muenther (Jan 31)
- Re[2]: MyDoom download info. Papp Geza (Jan 31)