Re: mydoom.c information

[m.mohr () laposte net]

See comments inserted in reply:

On Sun, 7 Mar 2004, morning_wood wrote:

> > bascially looking for sync-src-1.00.tbz.  That message was posted to this
>
> avail on infected hosts

The whole point is that I don't *want* to be infected.  I don't have an
infected host because I am a good admin.  I want to obtain a copy of the
source code, not the binary virus.

> > This is how I came to be in possession of it:
> >
> > nc -l -p 3127 > doomjuice.dump
> >
> >  You will probably want to write a
> > loop to restart netcat because it exits after a successful transfer.
>
> nc -L -p 3127 > out.txt    note: " -L  " will not exit your listener,
> as it is for a persistant listener.

Okay.  Strangely enough, my version of netcat doesn't have an option "L":
nc [v1.10]
bash-2.05b$ nc -L
nc: invalid option -- L
nc -h for help
bash-2.05b$

Additionally, the whole point of writing a script is that I actually
*want* my listener to exit so that it can be called again and write to a
new file, thus separating infection attempts cleanly.  This removes the
need for me to comb through a huge dump and guess where each virus
begins and ends.  E.g.:

x=0; while true; do x=$((x+1)); nc -l -p 3127 > 3127.$x; done

> please see
> http://lists.netsys.com/pipermail/full-disclosure/2004-February/017126.html

Thanks for the link ... I wish I had been able to find this earlier, it
would have helped me quite a bit.  Although the bit about intentionally
infecting oneself doesn't exactly make me want to jump for joy.

> as i do not wish to type-iterate.
>
> Donnie Werner
> http://exploitlabs.com

In any case, thank you for your reply!

Regards,
Michael Mohr

P.S. I visited your website and it has some good information on it.  One
thing really needs to change though IMHO: Flash isn't cool.  If I can't
see it in lynx, I generally don't want to see it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html