[Dshield] Two versions of DoomJuice?

Portz, Jon jportz at kforce.com
Wed Feb 11 21:53:01 GMT 2004

Care to post your snort sigs? 


Jon Portz

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of John Draper
Sent: Wednesday, February 11, 2004 4:37 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Two versions of DoomJuice?

On Feb 10, 2004, at 12:18 PM, Blake McNeill wrote:

> Based on a visual analysis I think there might be two versions of 
> DoomJuice
> out there.  I'm not sure what differences there are between the 
> versions,
> but here is why I think there are two different versions.
> The version A sends the myDoom 'program upload and execute' command 
> separate
> from the bulk program upload as shown in this PortPeeker capture:

So far,  we have about 7 - 8 snort rules which seem to catch ALL of the 
series of Virii.

In fact,  it also picked up 2 new viruses we were totally unaware of,  
sent them in to the virus companies for further analysis.  One such 
had been released more then 18 months ago,  but never reported,  
because it
didn't spread hardly at all,  but it was picked up.

Now,  we can catch 100% of them....  YAY!  Finally...   not even the AV
folks can claim this....


list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list