Re: MyDoom.f binary string

[Jason Brewer <fulldisclosure99 () yahoo com>]

SMTP monitoring tests using the previous binary string were unsuccessful.

This string resulted positive in all SMTP tests (not the virus itself, but sending 
emails w/ the an infected ZIP attached).
52 71 67 4E 64 65 42 4F 76 33 4F 71 4A 45 46 30

The previous tests involved SMB (copying the file to a network share).. The packet 
sizes evidently ended smaller with SMTP and my original string got split over two 
packets.

So.. I have no idea if either string will match when the virus tries to copy over 
port 3127 (the only untested protocol), but I have rules with both strings setup and 
waiting patiently.

Jason Brewer wrote:

> I was able to get my hands on two copies of the virus.. They are
> slightly different
> in size and definitely have different md5sums.
>
>
>
> I created a couple of signatures using this string that matched in both
> files:
>
> 25 E5 6C D1 3C 2B 44 53 A8 34 B0 C1 14 3F E4 37
>
>
>
> I'm monitoring ports 25, 135:139, 445, and 3127 with this signature to
> try and catch
> all methods of propagation.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html