lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040127223638.754032B4D8E@mail.evilcoder.org>
From: remko at elvandar.org (Remko Lodder)
Subject: Mydoom

even if it was a prefixed size.
one 'creative CRACKER or other lame person' would change
the virus with a single bit which makes it a bit larger,
and all the previous detects are USELESS , eventhough it
perhaps has the same sig as before

--

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene 

-----Oorspronkelijk bericht-----
Van: full-disclosure-bounces@...ts.elvandar.org
[mailto:full-disclosure-bounces@...ts.elvandar.org]Namens Nick
FitzGerald
Verzonden: dinsdag 27 januari 2004 23:09
Aan: full-disclosure@...ts.netsys.com
Onderwerp: Re: [Full-Disclosure] Mydoom


Vlad Galu <dudu@...spar.rdsnet.ro> wrote:

> "Ferris, Robin" <R.Ferris@...ier.ac.uk> writes:
> | 
> |Does any one know what the size of the attachment is when is comes in
> |as a zip file?
> 
> 	It's the <compressed size>/<ratio>.

Admit it -- you're just guessing!

Mydoom makes its zip form by gluing together a .ZIP header for a 
single, stored (i.e. not compressed) file, the whole of the virus 
binary and a suitable one-file .ZIP central directory.  As the size of 
the first and third components depends on the length of the filename, 
the .ZIP is not of constant size because Mydoom uses different length 
filenames.

And, as I explained earlier, even the size of the .EXE can vary, adding 
yet another inconstancy to the equation.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-disclosure mailing list
Full-disclosure@...ts.elvandar.org
http://lists.elvandar.org/mailman/listinfo/full-disclosure

Powered by blists - more mailing lists