lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5.0.0.25.2.20040127163522.04eb3c20@pop3.direcway.com>
From: madsaxon at direcway.com (madsaxon)
Subject: Mydoom

At 10:08 AM 1/28/2004 +1300, Nick FitzGerald wrote:

>That page does not specifically address the "zip attachment" form at
>all, and to the extent that it does mention .ZIP extensions it (_quite_
>incorrectly) implies that the virus' executable is simply packaged with
>such an extension.  In fact, if it sends itself with a .ZIP extension,
>Mydoom sends itself as a proper zip archive that contains a "stored"
>(i.e. not compressed) copy of its executable.

Two of the copies I've gotten have been proper .zip archives (with
.zip extension) which contained a UPX compressed executable,
many of whose ASCII strings were further obfuscated with ROT-13.

m5x

Powered by blists - more mailing lists