[Dshield] FW: [Full-Disclosure] Hello Mydoom

jayjwa jayjwa at atr2.ath.cx
Sat Jan 31 01:16:22 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Thu, 29 Jan 2004, Paul Marsh wrote:

> Date: Thu, 29 Jan 2004 09:04:41 -0500
> From: Paul Marsh <pmarsh at nmefdn.org>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: list at dshield.org
> Subject: [Dshield] FW: [Full-Disclosure] Hello Mydoom


> From: Juari Bosnikovich [mailto:juarib at m-net.arbornet.org]
> Sent: Wednesday, January 28, 2004 05:40 PM
> To: full-disclosure at lists.netsys.com
> Subject: [Full-Disclosure] Hello Mydoom
>
>
> When I disassembled the virus I found new information that haven't came
> up anywhere else to this time.
>
> Here is the information that is beleived...

Most if not all of this information is/was available any AV site on or
before Jan.28. When the first cases came in to this list, I was able to go
to the web and find the info. This was early on the 28th, and I had
already two copies of my own which I later disassembled/analyzed by
approximately 23:00 GMT. Given that the infect had to be initialized and
build momentum to spread to me in the US, the AV companies of
Western/Eastern Europe had completed their findings, drew up their web
pages and submitted their findings- much before your "virgin discoveries".
MyDoom is simple exampleof malicous replicating code that, based on
technical "features" alone, certainly does not warrent the public media
attention it's managed to generate. It relies on basic, well-known
replication vectors that are (by and large) barrowed from Win32.Swen
(e.g. HKLM run/run-once) and a larger-than-usual dose of human
negligence. Frankly I'm surprised you didn't seem to mention
that the virus employs common UPX packing, a must-see for a successful,
and correct disassembly.

>
> 1. use restricted usernames to send email to and from
> 2. encode strings with ROT13 method
> 3. create a mutex called 'SwebSipcSmtxSO' when ran
> 4. transform in taskmon.exe and
> 4.1 add [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
>    "TaskMon" = %sysdir%\taskmon.exe
> 4.2 add [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
>    "TaskMon" = %sysdir%\taskmon.exe
> 5. add %sysdir%\shimgapi.dll
>   open ports 3127/tcp - 3198/tcp
> 6. stops spreading febuary 12
> 7. spreads through KaZaA and Electronic Mail System
> 8. and more very technical fact i will not describe here

<post snipped>

> It is a conclusion that the viral professionals that published diagnosis
> of the Mydoom.A virus are trying to hide something or are very
> incompetent.

Let's remember why they are professionals in the first place- they have
consistantly proven their knowlege and methods of viral study to be
correct; correct to the point that users all over the world download their
AV products and  utilize them to protect their investments and personal
property.

 > Also there are no way to fix the virus that is injected in the BIOS
> after it has been infected except from flashing it AFTER disinfecting
> the workstation that was infected.

No clue what you're getting on about here.


[jayjwa]RLF#37



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAGwHtx2m6tbYouFERAhtTAJsFSu518SM5iAbjzzZb3BK2GgWWEwCffkJY
lot9n8gkM6BhYvo7b5p9pkw=
=S13Z
-----END PGP SIGNATURE-----




More information about the list mailing list