[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-Disc]: [Full-Disclosure] mydoom.exe decyphering?
From:       Anders <CNQQTROVMYSY () spammotel ! com>
Date:       2004-01-31 15:15:10
Message-ID: 127252997.20040131161510 () home ! se
[Download RAW message or body]

Hi,

> OK, this can readily be deducted somewhat from the mydoom.exe but not
> entirely. Ironically aladdin systems can find itself back in the worm's
> 'strings' output... a part of it is compressed with stuffit.

Are you looking at the files from the URLs posted yesterday? Those
were packed with stuffit before uploaded. The stuffit part is not in
the version that's ITW.

> So: (sync-1...o.01; andy.I'm just doing myk....ob, noth.personal.....}rry)

> - how did sophos fill in the blanks, or did they

As discussed on the list, the files are packed with a runtime packer,
so, they have to be unpacked/dumped in order to see the unpacked data.

Best regards,
Anders


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]