[Dshield] FW: [Full-Disclosure] Hello Mydoom
jstewart at lurhq.com
Thu Jan 29 20:35:06 GMT 2004
On Thursday 29 January 2004 2:51 pm, Bjorn Stromberg wrote:
> Perhaps a little better analysis of the worm here:
> That BIOS stuff is nonsense as is the mutation after February 12th.
> I have yet to hear of ANYONE being able to get this worm to send a
> GET request to www.sco.com . My suspicions are that the Major A/V
> vendors jumped the gun on their analysis of what www.sco.com was
> doing in the worm.
The DoS does work, but there is a bug in the date comparison routine
which prevents it from starting at certain times, no matter what the
date. More often than not, it will NOT start. This could be a feature
instead of a bug, as the "b" variant includes an extra check of a
random number before starting the DoS, further reducing the possibility
of it happening on any given run.
Joe Stewart, GCIH
Senior Security Researcher
More information about the list