Full Disclosure mailing list archives
RE: Which worm?
From: "John LaCour" <jlacour () zonelabs com>
Date: Tue, 13 Apr 2004 08:59:04 -0700
Hi Bob, There are several variants of Agobot/Gaobot that are propagating via the MyDoom/Novarg backdoor. I've found that most of the samples I've captured are damaged and won't run. Try scanning them with the RAV Antivirus online scanner. It seems to do a good job of identifying these things even the damaged ones. Also, don't forget to delete the first 5 bytes off the capture to remove the file upload and execute handshake before scanning it. -John http://www.ravantivirus.com/scan/indexie.php
From: bob sagart [mailto:bobsagart500 () hotmail com] Sent: Tuesday, April 13, 2004 4:53 AM The other night I decided to see what traffic I could capture on tcp port 3127 (MyDoom backdoor) since I have been getting a lot of connection attemps showing up in my firewall logs. I got several dumps of the traffic using nc -l -p 3127 > out.dmp most of them are around 10-20kB which I thought was the about the right size of most of the worms and backdoors using that port. But one of the dumps I got was 150kB and I was just wondering if anyone could tell me what I might be?
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Which worm? bob sagart (Apr 13)
- Re: Which worm? Axel Pettinger (Apr 13)
- Re: Which worm? Maxime Ducharme (Apr 13)
- <Possible follow-ups>
- RE: Which worm? John LaCour (Apr 13)
- RE: Which worm? bob sagart (Apr 13)
- Re: Which worm? Maxime Ducharme (Apr 15)
- Re: Which worm? Wolfram Schroeder (Apr 15)
- Re: Which worm? morning_wood (Apr 15)
- Re: Which worm? Maxime Ducharme (Apr 15)
- RE: Which worm? Willem Koenings (Apr 15)
- re: Which worm? Willem Koenings (Apr 15)
- Re: Which worm? Hugh Mann (Apr 15)