RE: Which worm?

["John LaCour" <jlacour () zonelabs com>]

Hi Bob,

There are several variants of Agobot/Gaobot that are
propagating via the MyDoom/Novarg backdoor.

I've found that most of the samples I've captured
are damaged and won't run.  Try scanning them with the
RAV Antivirus online scanner.  It seems to do a good
job of identifying these things even the damaged ones.

Also, don't forget to delete the first 5 bytes off 
the capture to remove the file upload and execute 
handshake before scanning it.

-John

http://www.ravantivirus.com/scan/indexie.php




> From: bob sagart [mailto:bobsagart500 () hotmail com] 
> Sent: Tuesday, April 13, 2004 4:53 AM
>
> The other night I decided to see what traffic I could capture 
> on tcp port 
> 3127 (MyDoom backdoor) since I have been getting a lot of 
> connection attemps 
> showing up in my firewall logs.
> I got several dumps of the traffic using
> nc -l -p 3127 > out.dmp
> most of them are around 10-20kB which I thought was the about 
> the right size 
> of most of the worms and backdoors using that port. But one 
> of the dumps I 
> got was 150kB and I was just wondering if anyone could tell 
> me what I might 
> be?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html