Full Disclosure mailing list archives

Re: MyDoom download info.

From: jan.muenther () nruns com
Date: Sat, 31 Jan 2004 12:46:33 +0100

It's still UPX packed, but it won't unpack with "UPX -d" because the author 
used a simple UPX scrambler. Either undo what he did or unpack it manually 
and you'll see all the code.


It actually un-UPX-ed just fine for me. What version have you been trying?
It disassembled nicely after that. The only other obfuscation (apart from
quite a bit of wild jmp'ing around) is the rot13'ed strings, which isn't,
erm, too challenging. Anything else? I've only looked quickly at it during a
train ride.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

MyDoom download info. Feher Tamas (Jan 31)
- <Possible follow-ups>
- RE: MyDoom download info. first last (Jan 31)
  - Re: MyDoom download info. jan . muenther (Jan 31)
- Re: MyDoom download info. first last (Jan 31)
  - Re: MyDoom download info. jan . muenther (Jan 31)
  - Re[2]: MyDoom download info. Papp Geza (Jan 31)