| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <403CFE63.20609@yahoo.com> From: fulldisclosure99 at yahoo.com (Jason Brewer) Subject: MyDoom.f binary string SMTP monitoring tests using the previous binary string were unsuccessful. This string resulted positive in all SMTP tests (not the virus itself, but sending emails w/ the an infected ZIP attached). 52 71 67 4E 64 65 42 4F 76 33 4F 71 4A 45 46 30 The previous tests involved SMB (copying the file to a network share).. The packet sizes evidently ended smaller with SMTP and my original string got split over two packets. So.. I have no idea if either string will match when the virus tries to copy over port 3127 (the only untested protocol), but I have rules with both strings setup and waiting patiently. Jason Brewer wrote: > I was able to get my hands on two copies of the virus.. They are > slightly different > in size and definitely have different md5sums. > > > > I created a couple of signatures using this string that matched in both > files: > > 25 E5 6C D1 3C 2B 44 53 A8 34 B0 C1 14 3F E4 37 > > > > I'm monitoring ports 25, 135:139, 445, and 3127 with this signature to > try and catch > all methods of propagation.
Powered by blists - more mailing lists