lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: fulldisclosure99 at yahoo.com (Jason Brewer)
Subject: MyDoom.f binary string

SMTP monitoring tests using the previous binary string were unsuccessful.

This string resulted positive in all SMTP tests (not the virus itself, but sending 
emails w/ the an infected ZIP attached).
52 71 67 4E 64 65 42 4F 76 33 4F 71 4A 45 46 30

The previous tests involved SMB (copying the file to a network share).. The packet 
sizes evidently ended smaller with SMTP and my original string got split over two 
packets.

So.. I have no idea if either string will match when the virus tries to copy over 
port 3127 (the only untested protocol), but I have rules with both strings setup and 
waiting patiently.

Jason Brewer wrote:

 > I was able to get my hands on two copies of the virus.. They are
 > slightly different
 > in size and definitely have different md5sums.
 >
 >
 >
 > I created a couple of signatures using this string that matched in both
 > files:
 >
 > 25 E5 6C D1 3C 2B 44 53 A8 34 B0 C1 14 3F E4 37
 >
 >
 >
 > I'm monitoring ports 25, 135:139, 445, and 3127 with this signature to
 > try and catch
 > all methods of propagation.

Powered by blists - more mailing lists