lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: jlacour at (John LaCour)
Subject: Which worm?

Hi Bob,

There are several variants of Agobot/Gaobot that are
propagating via the MyDoom/Novarg backdoor.

I've found that most of the samples I've captured
are damaged and won't run.  Try scanning them with the
RAV Antivirus online scanner.  It seems to do a good
job of identifying these things even the damaged ones.

Also, don't forget to delete the first 5 bytes off 
the capture to remove the file upload and execute 
handshake before scanning it.


> From: bob sagart [] 
> Sent: Tuesday, April 13, 2004 4:53 AM
> The other night I decided to see what traffic I could capture 
> on tcp port 
> 3127 (MyDoom backdoor) since I have been getting a lot of 
> connection attemps 
> showing up in my firewall logs.
> I got several dumps of the traffic using
> nc -l -p 3127 > out.dmp
> most of them are around 10-20kB which I thought was the about 
> the right size 
> of most of the worms and backdoors using that port. But one 
> of the dumps I 
> got was 150kB and I was just wondering if anyone could tell 
> me what I might 
> be?

Powered by blists - more mailing lists