[Dshield] FW: [Full-Disclosure] Hello Mydoom

Joe Stewart jstewart at lurhq.com
Thu Jan 29 20:35:06 GMT 2004


On Thursday 29 January 2004 2:51 pm, Bjorn Stromberg wrote:
> Perhaps a little better analysis of the worm here:
>
> http://www.math.org.il/newworm-digest1.txt
>
> That BIOS stuff is nonsense as is the mutation after February 12th.
>
> I have yet to hear of ANYONE being able to get this worm to send a
> GET request to www.sco.com . My suspicions are that the Major A/V
> vendors jumped the gun on their analysis of what www.sco.com was
> doing in the worm.

The DoS does work, but there is a bug in the date comparison routine 
which prevents it from starting at certain times, no matter what the 
date. More often than not, it will NOT start. This could be a feature 
instead of a bug, as the "b" variant includes an extra check of a 
random number before starting the DoS, further reducing the possibility 
of it happening on any given run.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/




More information about the list mailing list