[Dshield] FW: [Full-Disclosure] Hello Mydoom

Brenden Walker BKWalker at DRBSystems.com
Thu Jan 29 16:31:46 GMT 2004


I'd love to see the 624byte TCP backdoor program written in FORTH that can
operate inside BIOS..., if it's possible all, I can't imagine it would have
much remote control functionality....



> -----Original Message-----
> From: Micheal Patterson [mailto:micheal at tsgincorporated.com] 
> Sent: Thursday, January 29, 2004 10:43 AM
> To: list at dshield.org
> Subject: Re: [Dshield] FW: [Full-Disclosure] Hello Mydoom
> 
> 
> I'd like to know if this can be confirmed. So far, none of 
> the systems that I'm in control over have been hit by either 
> a or b versions so far.
> 
> 
> --
> 
> Micheal Patterson
> TSG Network Administration
> 405-917-0600
> 
> Confidentiality Notice:  This e-mail message, including any 
> attachments, is for the sole use of the intended recipient(s) 
> and may contain confidential and privileged information. Any 
> unauthorized review, use, disclosure or distribution is 
> prohibited. If you are not the intended recipient, please 
> contact the sender by reply e-mail and destroy all copies of 
> the original message.
> 
> 
> ----- Original Message ----- 
> From: "Paul Marsh" <pmarsh at nmefdn.org>
> To: <list at dshield.org>
> Sent: Thursday, January 29, 2004 8:04 AM
> Subject: [Dshield] FW: [Full-Disclosure] Hello Mydoom
> 
> 
> > Morning All:
> >
> > I don't know maybe this is the wrong thing to forward but can the 
> > coders of the group take a look at this email of FD's list.
> >
> > Thanx, Paul
> >
> > -----Original Message-----
> > From: Juari Bosnikovich [mailto:juarib at m-net.arbornet.org]
> > Sent: Wednesday, January 28, 2004 05:40 PM
> > To: full-disclosure at lists.netsys.com
> > Subject: [Full-Disclosure] Hello Mydoom
> >
> >
> > When I disassembled the virus I found new information that haven't 
> > came up anywhere else to this time.
> >
> > Here is the information that is beleived...
> >
> > 1. use restricted usernames to send email to and from
> > 2. encode strings with ROT13 method
> > 3. create a mutex called 'SwebSipcSmtxSO' when ran
> > 4. transform in taskmon.exe and
> > 4.1 add [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
> >    "TaskMon" = %sysdir%\taskmon.exe
> > 4.2 add [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
> >    "TaskMon" = %sysdir%\taskmon.exe
> > 5. add %sysdir%\shimgapi.dll
> >   open ports 3127/tcp - 3198/tcp
> > 6. stops spreading febuary 12
> > 7. spreads through KaZaA and Electronic Mail System
> > 8. and more very technical fact i will not describe here
> >
> > What I found...
> >
> > Even if the virus (Mydoom) is programmed in assembler and compiled 
> > using masm it is made to look like it has been programmed 
> in C++ when 
> > disassembling. It is a fact that many more information are 
> hidden and 
> > undiscovered to this date such as the fact that it will 
> stop spreading 
> > on febuary 12 which is not true. Mydoom will pass in a new 
> phase upon 
> > febuary 12 and it will be very much more serious as it will 
> be updated 
> > and will mutate in Mydoom.C. The backdoor (shimgapi.dll) is open a 
> > port but this is used to obscur the real intention of 
> Mydoom.B as well 
> > as Outlook express.
> >
> > It was also unknown that the virus infects the BIOS of the 
> computer it 
> > infects by injecting a 624bytes backdoor written in FORTH 
> which will 
> > open port tcp when Mydoom will be executed AFTER febuary 12.
> >
> > It is a conclusion that the viral professionals that published 
> > diagnosis of the Mydoom.A virus are trying to hide something or are 
> > very incompetent.
> >
> > Also there are no way to fix the virus that is injected in the BIOS 
> > after it has been infected except from flashing it AFTER 
> disinfecting 
> > the workstation that was infected.
> >
> >                                         Juari Bosnikovich
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list