[Dshield] Two versions of DoomJuice?

John Draper lists at webcrunchers.com
Wed Feb 11 21:37:21 GMT 2004


On Feb 10, 2004, at 12:18 PM, Blake McNeill wrote:

> Based on a visual analysis I think there might be two versions of 
> DoomJuice
> out there.  I'm not sure what differences there are between the 
> versions,
> but here is why I think there are two different versions.
>
> The version A sends the myDoom 'program upload and execute' command 
> separate
> from the bulk program upload as shown in this PortPeeker capture:

So far,  we have about 7 - 8 snort rules which seem to catch ALL of the 
Doom
series of Virii.

In fact,  it also picked up 2 new viruses we were totally unaware of,  
and
sent them in to the virus companies for further analysis.  One such 
virus
had been released more then 18 months ago,  but never reported,  
because it
didn't spread hardly at all,  but it was picked up.

Now,  we can catch 100% of them....  YAY!  Finally...   not even the AV
folks can claim this....

John




More information about the list mailing list