lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CB1F49F2B508604292985807CF68F5F505953816@csexchange.cs.state.ny.us>
From: JMC13 at mail3.cs.state.ny.us (Clairmont, Jan)
Subject: Get this dude.

I used to be an embedded assembly programmer,  Intel 8080, Zilog Z80,
Intel 8088, 8086 etc.  It is not that hard to write code to a flash prom or
other types of flash memory or static memory.  Whether it is in forth, c or
assembly, you can deposit information and recall it.  So what is your
problem?

The person below did an excellent forensic job of disessembling the code and
reporting the information, kudos to Juari.  Are we security people or No,
then 
Captain Ahab said, "let's all make this pledge, Death to Moby Dick!"

Not that I like killing white whales, Moby Dick's one of my favorite Novels.

I'm claiming the 250,000 if Juari doesn't get it first!
Jan Clairmont

See  Juari Bosnikovich post kudos to him.

When I disassembled the virus I found new information that haven't came up
anywhere else to this time.

See  Juari Bosnikovich post kudos to him.

Here is the information that is beleived...

1. use restricted usernames to send email to and from
2. encode strings with ROT13 method
3. create a mutex called 'SwebSipcSmtxSO' when ran
4. transform in taskmon.exe and
4.1 add [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "TaskMon" = %sysdir%\taskmon.exe
4.2 add [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "TaskMon" = %sysdir%\taskmon.exe
5. add %sysdir%\shimgapi.dll
  open ports 3127/tcp - 3198/tcp
6. stops spreading febuary 12
7. spreads through KaZaA and Electronic Mail System
8. and more very technical fact i will not describe here

What I found...

Even if the virus (Mydoom) is programmed in assembler and compiled using
masm it is made to look like it has been programmed in C++ when
disassembling. It is a fact that many more information are hidden and
undiscovered to this date such as the fact that it will stop spreading on
febuary 12 which is not true. Mydoom will pass in a new phase upon febuary
12 and it will be very much more serious as it will be updated and will
mutate in Mydoom.C. The backdoor (shimgapi.dll) is open a port but this is
used to obscur the real intention of Mydoom.B as well as Outlook express.

It was also unknown that the virus infects the BIOS of the computer it
infects by injecting a 624bytes backdoor written in FORTH which will open
port tcp when Mydoom will be executed AFTER febuary 12.

It is a conclusion that the viral professionals that published diagnosis of
the Mydoom.A virus are trying to hide something or are very incompetent.

Also there are no way to fix the virus that is injected in the BIOS after it
has been infected except from flashing it AFTER disinfecting the workstation
that was infected.

                                        Juari Bosnikovich


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-----Original Message-----
From: Kenton Smith [mailto:ksmith@...rtwelltechnology.com] 
Sent: Thursday, January 29, 2004 2:26 PM
To: Clairmont, Jan
Cc: 'full-disclosure@...ts.netsys.com'
Subject: RE: [Full-Disclosure] Culprit Bio: Perfect Storm Averted or Just
Ahead?


If you're a FORTH programmer, can you comment on the validity of this?

"It was also unknown that the virus infects the BIOS of the computer it
infects by injecting a 624bytes backdoor written in FORTH which will open
port tcp when Mydoom will be executed AFTER febuary 12."


I'm not a programmer, nor am I a BIOS expert, but this seems bogus to me.

Kenton

On Thu, 2004-01-29 at 11:04, Clairmont, Jan wrote:
<snip>
> If there are a 1000 Forth programmers in the world I would be 
> surprised. They would need communications knowledge, programming, being
one myself
> there are not too many of those.   This narrows the gene pool
significantly
> if anyone in the know is searching.
<snip>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ