lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200401292210.i0TMAng12550@singularity.tronunltd.com>
From: Ian.Latter at mq.edu.au (Ian Latter)
Subject: MyDoom bios infection

Sorry Juari,

> It appears that what I called sooner a BIOS BackDoor is more of a
> Microsoft Windows exploit.

.. but you've lost all credibility.



----- Original Message -----
>From: "Juari Bosnikovich" <juarib@...et.arbornet.org>
>To: "Frank Knobbe" <frank@...bbe.us>
>Subject:  Re: [Full-Disclosure] MyDoom bios infection
>Date: Thu, 29 Jan 2004 15:45:15 -0500
>
> 
> 
> On Thu, 29 Jan 2004, Frank Knobbe wrote:
> 
> > On Thu, 2004-01-29 at 03:14, Ferris, Robin wrote:
> > > >It was also unknown that the virus infects the BIOS of the computer it
> > > >infects by injecting a 624bytes backdoor written in FORTH which will open
> > > >port tcp when Mydoom will be executed AFTER febuary 12.
> >
> > Although code in BIOS could interact with your network card, it would
> > require the correct driver routines for your particular card. Does the
> > virus come with network card drivers for a variety of cards? No? Then
> > BIOS code won't open a TCP port.
> 
> I had the same thought at first and conducted an experiment.
> 
> Using a clean Windows Server 2003 32 bit Edition on a machine with a
> network adapter using the realtek 8139 chip I installed the virus and
> setted the date to Febuary 11 11:50 and shutted it down after making sure
> the virus has been successfully installed.
> 
> Most of you would agree with me if I would say that nothing happened when
> I rebooted the machine but this is FAR from being what happened.
> 
> It appears that what I called sooner a BIOS BackDoor is more of a
> Microsoft Windows exploit. When the infected machine boots for the SECOND
> time AFTER febuary 12 it is injecting a malicious program in the Windows
> installation that downloads a new version of Mydoom which will probably be
> called Mydoom.c after it's discovery.
> 
> I understand the point of vue of unbeleivers but unfortunately it is very
> CLEAR to me that they did not conduct their own research concerning this
> VERY destructive virus.
> 
> As a reminder to the various persons which contacted me privately via
> email and to whom I shared more information PLEASE keep it private.
> 
> 					Juari Bosnikovich
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

--
Ian Latter
Internet and Networking Security Officer
Macquarie University

 Meet me at the Australian Unix and open systems
   User Group (AUUG) Security Symposium; 2004
  http://www.auug.org.au/events/2004/security/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ