Full Disclosure mailing list archives
Re: MyDoom.f binary string
From: Jason Brewer <fulldisclosure99 () yahoo com>
Date: Wed, 25 Feb 2004 13:58:27 -0600
SMTP monitoring tests using the previous binary string were unsuccessful.This string resulted positive in all SMTP tests (not the virus itself, but sending emails w/ the an infected ZIP attached).
52 71 67 4E 64 65 42 4F 76 33 4F 71 4A 45 46 30The previous tests involved SMB (copying the file to a network share).. The packet sizes evidently ended smaller with SMTP and my original string got split over two packets.
So.. I have no idea if either string will match when the virus tries to copy over port 3127 (the only untested protocol), but I have rules with both strings setup and waiting patiently.
Jason Brewer wrote: > I was able to get my hands on two copies of the virus.. They are > slightly different > in size and definitely have different md5sums. > > > > I created a couple of signatures using this string that matched in both > files: > > 25 E5 6C D1 3C 2B 44 53 A8 34 B0 C1 14 3F E4 37 > > > > I'm monitoring ports 25, 135:139, 445, and 3127 with this signature to > try and catch > all methods of propagation. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MyDoom.f binary string Jason Brewer (Feb 24)
- <Possible follow-ups>
- MyDoom.f binary string Jason Brewer (Feb 24)
- Message not available
- Re: MyDoom.f binary string Jason Brewer (Feb 24)
- Re: MyDoom.f binary string Jason Brewer (Feb 25)
- Message not available