[Dshield] Two versions of DoomJuice?

Blake McNeill mcneillb at linklogger.com
Tue Feb 10 20:18:17 GMT 2004


Based on a visual analysis I think there might be two versions of DoomJuice
out there.  I'm not sure what differences there are between the versions,
but here is why I think there are two different versions.

The version A sends the myDoom 'program upload and execute' command separate
from the bulk program upload as shown in this PortPeeker capture:

TCP Connection Request
--- 10/02/2004 11:55:56.832

62.114.66.16 : 2301 TCP Connected ID = 3
--- 10/02/2004 11:55:56.902
Status Code: 0 OK

62.114.66.16 : 2301 TCP Data In Length 5 bytes : MD5 =
DD24B5AE639F3E697F0CB15AEE609F7C
--- 10/02/2004 11:55:57.002
0000   85 13 3C 9E A2                                       ..<..


62.114.66.16 : 2301 TCP Data In Length 1460 bytes : MD5 =
218D4518EDBB78D57B4FE75BAAEDE8B5
--- 10/02/2004 11:55:57.212
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00      MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00      ........ at .......


In version B the 'command' string is included in the bulk program upload:

TCP Connection Request
--- 10/02/2004 12:10:34.814

200.181.159.241 : 4861 TCP Connected ID = 3
--- 10/02/2004 12:10:34.885
Status Code: 0 OK

200.181.159.241 : 4861 TCP Data In Length 1445 bytes : MD5 =
5123F868B6D13C2BF6356828EE8BC199
--- 10/02/2004 12:10:34.985
0000   85 13 3C 9E A2 4D 5A 90 00 03 00 00 00 04 00 00      ..<..MZ.........
0010   00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00      ............. at ..


Does this make sense and if so what other differences might there be?

Blake




More information about the list mailing list