Determining Version

[Ryan Russell <ryan () securityfocus com>]

I've had someone request that I post to the list how I'm determining that
I'm seeing CRv2, and not some other variant.

First off, I'm just grabbing copies with netcat:

nc -l -p 80 > gotcha

Everytime BlackICE Defender goes off with the "Suspicious URL", I ctrl-C
the Netcat, rename gotcha to gotcha#, and then restart the netcat program
above.

Then, I do a fc:

C:\codered>fc /b gotcha6 gotcha7
Comparing files gotcha6 and gotcha7
00000CDC: 3B 4B
00000CDD: E0 00
00000CDE: 41 42
00000CE0: 00 56
00000CE1: 01 34
00000CE2: 00 12
00000CE3: 00 B8
00000D04: 9A FA
00000D05: 18 41
00000D06: 47 B0

CD4-CEC is marked as "Padding Bytes", and D02-D07 is marked as "self
modifiying code".  See eEye disassembly of CRv1.  As long as the version
you get doesn't vary outside of those byte ranges, it should be CRv2.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com