Re: Re: Re: DoomJuice.A, Mydoom.A source code

[Nick FitzGerald <nick () virus-l demon co uk>]

"Filipe A." <incognito () patria ath cx> wrote:

>  I've done that and after 12 hours I had about 27 files. 8 of them
> were unique both in size and content.  ...
              ^^^^^^^^^^^^^^^^^^^^^^^^

Is that not tautological?

Or were you trying to say that none of these 8 are truncated copies of 
longer files in the set?

> ...  I've identified the one that drops
> the .tbz with source code ...

Doomjuice.A

> ... but that leaves me with another 7 different
> files. Question is, how many things are out there piggybacking on
> mydoom's backdoor?  ...

Assuming none of these seven are truncated copies of Doomjuice, don't 
forget there are a few copies of Mydoom.B out there looking for 
Mydoom.A backdoors.  These can be truncated too...  Other things I've 
seen being poked through Mydoom's backdoor include a couple of new 
downloaders, a short PE (around 5KB) that _may_ be a simple reverse 
shell and/or Mydoom process killer (i.e. some kind "strike back" -- 
I've not had time to analyse this one yet) and simply the five byte 
command that instructs Mydoom's backdoor to "drop to a file and execute 
the following data stream"  (my guess here is that someone thinks it is 
necessary to send this command to establish whether the port is 
properly listening, so unnecessarily coded it into a scanner).

> ...  And now the source code is public many more
> will emerge in the next few days...

Charming, eh??


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html