Full Disclosure mailing list archives
mydoom.exe decyphering?
From: Danny <danny () ricin com>
Date: Sat, 31 Jan 2004 03:10:25 +0100
<layman> Sophos says: (sync-1.01; andy; I'm just doing my job, nothing personal, sorry) OK, this can readily be deducted somewhat from the mydoom.exe but not entirely. Ironically aladdin systems can find itself back in the worm's 'strings' output... a part of it is compressed with stuffit. [download MyDoomB, cut out the StuffIt part, unstuff it and cut out the (3rd/last) data part (use tail or so). Then hexdump -C that one again] Here's the part with the text (use fixed font in your mail client): HEX ff 87 22 92 00 0a 0a 28 73 79 6e 63 2d 31 2e fd ASCII * * 32 * 0 10 10 40 115 121 110 99 45 49 46 * SYMBOL * * " * * * * ( s y n c - 1 . * HEX ff 6f ff 30 31 3b 20 61 6e 64 79 5 49 27 6d 20 ASCII * 111 * 48 49 59 32 97 110 100 121 5 73 39 109 32 SYMBOL * o * 0 1 ; a n d y * I ' m HEX 6a 75 73 74 20 64 6f 69 6e 67 20 6d 79 6b ff ef ASCII 106 117 115 116 32 100 111 105 110 103 32 109 121 107 * * SYMBOL j u s t d o i n g m y k * * HEX bf 0d 6f 62 2c 20 6e 6f 74 68 0f 70 65 72 73 6f ASCII * 13 111 98 44 32 110 111 116 104 15 112 101 114 115 111 SYMBOL * * o b , n o t h * p e r s o HEX 6e 61 6c 11 06 a6 fb ae 7d 72 72 79 29 42 47 40 ASCII 110 97 108 17 6 * * * 125 114 114 121 41 66 71 64 SYMBOL n a l * * * * * } r r y ) B G @ So: (sync-1...o.01; andy.I'm just doing myk....ob, noth.personal.....}rry) A few observations: - 'noth*' seems to get its 'ing ' part from the token 'doing ' - likewise ' just' must be the inspiration for ' job' replacing the ' j' with 'k****' where * are non ascii. Note that ' just' fits into '****' and j=k-1 - '*****}rry' should translate to ' sorry' or (sophos) ', sorry' - is it sync-1.01 or perhaps sync-1.1.p01 or so, anyone has any idea what this sync is anyway - if BG@ at the end could in some way end up being 'BEGIN' we have an uuencoded remainder which would have to be 'decrypted' first. - how did sophos fill in the blanks, or did they One would think the entire data chunk would be encrypted or encoded or whatever you want to call it in the same manner (something like uuenc/decode can be used to have binary data be changed and obfuscated as text and restored to binary through a 1 on 1 (de)obfuscation, right?). Any thoughts? Is this a known algorithm that I'm not aware of for unicode compressing or something alike? How do other people investigate a binary? (I look at hexdumps, strings, output of 'file', magic numbers/strings...) Let me dare say something I'm going to regret (heck this list is full of flamethrowers anyway ;-) To be honest, I have an unpleasant feeling that this whole thing might be staged. It's so suggestive. But I lack the skill to look further and don't passionately care enough either. Yet, this is one interesting thing with the whole MS and SCO background. Please note, I use FreeBSD exclusively, not Windows, but was bored and got interested, and I'm wondering if anyone has done any research or experimenting on this. I've looked at them on my FreeBSD desktop box. I'm not familiar with Windows code other than looking at some worm and noticing that it has smtp code or so. The things with archives within executables holding executables and even with a Mac archiving package being used, uhhmm I'll pass on that and just assume that that's all normal and doable out there over the fence :) </layman> Hope you don't blame me for trying to have some interesting discussion. No matter what your skill level, it sure beats the ever present pissing contents. Regards, --Dan (normally lurker with habitual attraction to DEL key) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MyDoom download info Daniel Spisak (Jan 30)
- RE: MyDoom download info Steve Wray (Jan 30)
- Re[2]: MyDoom download info Papp Geza (Jan 30)
- Re: MyDoom download info Scott Taylor (Jan 30)
- Re: MyDoom download info Daniel Spisak (Jan 30)
- Re: MyDoom download info Scott Taylor (Jan 30)
- Re: MyDoom download info Valdis . Kletnieks (Jan 31)
- Re: MyDoom download info Oliver Schneider (Jan 31)
- Re: MyDoom download info Daniel Spisak (Jan 30)
- Re: MyDoom download info Roland Dobbins (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 30)
- mydoom.exe decyphering? Danny (Jan 31)
- Re: [Full-Disc]: mydoom.exe decyphering? Anders (Jan 31)
- <Possible follow-ups>
- RE: MyDoom download info first last (Jan 30)
- RE: MyDoom download info Steve Wray (Jan 30)
- Re: MyDoom download info Valdis . Kletnieks (Jan 31)
- Re: MyDoom download info Paul Schmehl (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 31)
- RE: MyDoom download info Bojan Zdrnja (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 30)
- Re: MyDoom download info Puneet Arora (Jan 31)