Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Full-Disc]: mydoom.exe decyphering?

From: Anders <CNQQTROVMYSY () spammotel com>
Date: Sat, 31 Jan 2004 16:15:10 +0100
Hi,


OK, this can readily be deducted somewhat from the mydoom.exe but not
entirely. Ironically aladdin systems can find itself back in the worm's
'strings' output... a part of it is compressed with stuffit.


Are you looking at the files from the URLs posted yesterday? Those
were packed with stuffit before uploaded. The stuffit part is not in
the version that's ITW.


So: (sync-1...o.01; andy.I'm just doing myk....ob, noth.personal.....}rry)



- how did sophos fill in the blanks, or did they


As discussed on the list, the files are packed with a runtime packer,
so, they have to be unpacked/dumped in order to see the unpacked data.

Best regards,
Anders


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: