[Dshield] Two versions of DoomJuice?

Chuck Lewis clewis at iquest.net
Tue Feb 10 21:24:35 GMT 2004


Blake,

I just read that the author is trying to cover his butt/tracks by placing
the actual code on the PC with this new version. It depends on the PC
already being infected. This way he can claim he got infected like everyone
else is the logic of this note.

See:

http://nl.internet.com/ct.html?rtr=on&s=1,ppi,1,3ndp,b8ja,lpcg,juuw

Chuck

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Blake McNeill
Sent: Tuesday, February 10, 2004 3:18 PM
To: General DShield Discussion List
Subject: [Dshield] Two versions of DoomJuice?

Based on a visual analysis I think there might be two versions of DoomJuice
out there.  I'm not sure what differences there are between the versions,
but here is why I think there are two different versions.

The version A sends the myDoom 'program upload and execute' command separate
from the bulk program upload as shown in this PortPeeker capture:

TCP Connection Request
--- 10/02/2004 11:55:56.832

62.114.66.16 : 2301 TCP Connected ID = 3
--- 10/02/2004 11:55:56.902
Status Code: 0 OK

62.114.66.16 : 2301 TCP Data In Length 5 bytes : MD5 =
DD24B5AE639F3E697F0CB15AEE609F7C
--- 10/02/2004 11:55:57.002
0000   85 13 3C 9E A2                                       ..<..


62.114.66.16 : 2301 TCP Data In Length 1460 bytes : MD5 =
218D4518EDBB78D57B4FE75BAAEDE8B5
--- 10/02/2004 11:55:57.212
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00      MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00      ........ at .......


In version B the 'command' string is included in the bulk program upload:

TCP Connection Request
--- 10/02/2004 12:10:34.814

200.181.159.241 : 4861 TCP Connected ID = 3
--- 10/02/2004 12:10:34.885
Status Code: 0 OK

200.181.159.241 : 4861 TCP Data In Length 1445 bytes : MD5 =
5123F868B6D13C2BF6356828EE8BC199
--- 10/02/2004 12:10:34.985
0000   85 13 3C 9E A2 4D 5A 90 00 03 00 00 00 04 00 00      ..<..MZ.........
0010   00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00      ............. at ..


Does this make sense and if so what other differences might there be?

Blake

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list