lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: ws at (Wolfram Schroeder)
Subject: Which worm?


I'm currently in the process of learning how to analyse worms ... here 
are some things I learned/guessed/newbied so far:

1) So far, the recent notorious port-scans/exploitation-attempts appear 
to come from AGOBOT-Variants. These are complex trojans acting as 
IRC-Bots. Look for descriptions of the at AV-companies.

2) The easiest way is to get a sample is to netcat -l -p 3127 > sample. 
The port 3127 was the original MYDOOM-backdoor port. You have to remove 
the first 5 bytes to get a working executable, I use vi for this. Many 
of the samples you get with netcat are broken - complete samples seem to 
have sizes > 99k, up to 150k, we're told. The largest one I got was 130k 
(may be a broken version of the 150k sample), many others are 104k. 
AV-scanners will sometimes identify the broken samples, sometimes not. 
My heuristics is to look at the end of the file and see if there's a 
list of dll's. If not, I consider it broken - does this make sense?

3) The samples are compressed using various EXE-compressing tools. You 
can learn about/download them at One sample I got (the 
130k sample) has been compressed using exe32pack (writes this info into 
the executable), another one (99k) using UPX (has section names UPX0, 
UPX1 etc). the next one (104k) is compessed using an unknown tool or by 
an handwritten tool. The exe32pack-packed sample expands to over 400k, 
the UPX-sample to roughly 300k code. This is huge, for a worm.

These compessors often destroy information helpful with disassembling, 
with the notable exception of UPX. If you want to have an easy to 
disassemble sample I suggest you wait for the UPX-Version. You can 
discern it by loading it into vi and look for UPX0, or download upx.exe 
and run upx -t virussample. You decompess it using the -d switch.

Another question: Is there a quick way to find out which tool compressed 
an executable? A tool maybe?

4) When you have an unpacked version, you can go and look for the 
strings in the executable. The authors were helpful enough to include 
help texts. I have the theory that you should be able to get the 
host/channel/username/password for the relevant IRC-Channels from the 
executable or a network sniffer, log in using an IRC-Client and execute 
bot.die. Didn't try it, though.

=>>> Final question: Is there a forum for worm-disassembling wannabes? <<<=


Maxime Ducharme schrieb:

>Same thing for me :)
>Here are some dumps i got if someone would like
>to study them :
>login : mydoom
>pass : 3127
>Archive pass : 3127dumps
>If you do any analysis, please cc me i'm interested.
>Have a nice day
>Maxime Ducharme Programmeur / Sp?cialiste en s?curit? r?seau
>----- Original Message ----- 
>From: "bob sagart" <>
>To: <>
>Sent: Tuesday, April 13, 2004 10:22 PM
>Subject: RE: [Full-Disclosure] Which worm?
>>Heres the capture file I got, I started sending this to individual people
>>but I decided to send it to the whole list so sorry if your one of the
>>that got it twice. the zip file password is: pass
>>>From: "bob sagart" <>
>>>Subject: [Full-Disclosure] Which worm?
>>>Date: Tue, 13 Apr 2004 23:53:17 +1200
>>>MIME-Version: 1.0
>>>Hey everyone
>>>The other night I decided to see what traffic I could capture on tcp port
>>>3127 (MyDoom backdoor) since I have been getting a lot of connection
>>>attemps showing up in my firewall logs.
>>>I got several dumps of the traffic using
>>>nc -l -p 3127 > out.dmp
>>>most of them are around 10-20kB which I thought was the about the right
>>>size of most of the worms and backdoors using that port. But one of the
>>>dumps I got was 150kB and I was just wondering if anyone could tell me
>>>I might be?
>>>I cannot send it as an attachment as hotmail says it is a virus.
>>>Check out news, entertainment and more @
>>>Full-Disclosure - We believe in it.
>>Check out news, entertainment and more @
>Full-Disclosure - We believe in it.

Powered by blists - more mailing lists