[Full-Disclosure] RE: [Full-disclosure]Not into Refuting tall-tales and stories abo ut the Mydoom worms

["Clairmont, Jan" <JMC13 () mail3 cs state ny us>]

First there is nothing in your analysis that excludes an embedded forth
interpreter or code, second there are fingerprints for a tsr. Since it is
an .exe and quite able to install one.  Was there a search to eliminate
the possibility?  There is plenty of unanalyzed code and looking at the
dissassembled code there are fingerprints of a tsr and forth in my opinion,
I am waiting on Mydoom.2  for any other unseen exploits.   Were the int
calls
examined for suspicious behavior?  Looking at the tsr hex codes and forth
formats there could definintely be activity there.

Your analysis does not seem complete or extensive enough to rule out
anything.

Jan Clairmont
-----Original Message-----
From: Gadi Evron [mailto:ge () egotistical reprehensible net] 
Sent: Friday, January 30, 2004 10:40 AM
To: bugtraq () securityfocus com
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] Refuting tall-tales and stories about the Mydoom
worms


The document contains information and reverse engineering bits of the 
Mydoom worms, refuting claims and rumors about them with facts.

It updates http://www.math.org.il/newworm-digest1.txt.

Also, we provide proof within the document of the DDoS attack that many 
in the world now report does not happen. along with a time table for the 
attack.

You can find our document at: http://www.math.org.il/mydoom-facts.txt

        Gadi Evron.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html