Full Disclosure mailing list archives
mydoom.c information
From: m.mohr () laposte net
Date: Sat, 6 Mar 2004 19:40:24 -0800 (PST)
I recently read somewhere that mydoom.c included the source code for the a variant. Being the curious type, I wanted to see it. During my research, I came across a post from a professor in the same situation as I was, bascially looking for sync-src-1.00.tbz. That message was posted to this list, and so after successfully obtaining this source I thought I might share my trek. This is how I came to be in possession of it: The mydoom virus listens on tcp port 3127. It will accept and execuate a binary streamed to it if the binary is prefixed with bytes 85 13 3c 9e a2. doomjuice spreads by 'updating' hosts already infected with previous versions of mydoom. If you want to obtain a copy, you probably need to catch a copy in the wild. To do so, you can set up a listener like this: nc -l -p 3127 > doomjuice.dump Remember that the netcat dump contains control codes for mydoom, so the dumps will be 5 bytes larger than the sizes listed below. Remove these bytes or take them into account. There are a few variants out with these filesizes: 36,864 doomjuice.a (contains mydoom.a source code) 5,120 doomjuice.b doomjuice / mydoom is packed with UPX, so download a copy of UPX and decompress the file before starting work on it. The uncompressed version of doomjuice.a is 43,008 bytes. The mydoom.a source code starts at byte 1232 (0x04d0) and is 28,569 bytes long. It's name is sync-src-1.00.tbz. The archive can be extracted thus: dd if=doomjuice.a of=sync-src-1.00.tbz bs=1 skip=1232 count=28569 With the huge proliferation of infected hosts out there, it shouldn't be too long before your IP is contacted. You will probably want to write a loop to restart netcat because it exits after a successful transfer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- mydoom.c information m . mohr (Mar 06)
- Re: mydoom.c information Gregory A. Gilliss (Mar 07)
- Message not available
- Re: mydoom.c information m . mohr (Mar 07)
- Re: mydoom.c information John Sage (Mar 07)
- Re: mydoom.c information m . mohr (Mar 07)
- Re: mydoom.c information m . mohr (Mar 07)
- <Possible follow-ups>
- mydoom.c information morning_wood (Mar 07)
- Re: mydoom.c information John Sage (Mar 07)
- Re: mydoom.c information morning_wood (Mar 07)
- Re: mydoom.c information John Sage (Mar 07)
- Re: mydoom.c information Gyrniff (Mar 07)
- RE: mydoom.c information Chris Eagle (Mar 07)
- Re: mydoom.c information John Sage (Mar 07)