http://www.nwfusion.com/research/2004/090604sans.html As a new variant of the MyDoom virus begins spreading across the Internet, slowing search engines to a crawl in the late morning of July 26, Johannes Ullrich jumps into action.
Ullrich, CTO at the SANS Institute's Internet Storm Center (ISC) and one of 30 "handlers" who cover the storm center round the clock, is on duty this morning. He doesn't have far to go to find the virus; there are already a bunch of copies in his e-mail in-box. He gets to work, first saving a copy of the virus code (a file called instruction.exe), and then using VMWare software, which lets you run multiple operating systems on a single device, he executes the virus in Windows 2000 to see what it does. By using VMWare on his SuSE Linux system, Ullrich can create an operating system sandbox that prevents permanent damage from a virus or rogue application. As soon as the VMWare session is restarted, the virtual Win 2000 session essentially is wiped out and a clean install is created. While most malicious applications use file encryption to help mask their intentions, a tool called LordPE lets Ullrich capture the program as it runs. The Ethereal protocol analyzer lets him see what network ports the virus is using and what type of traffic it generates on a packet-by-packet basis................ _______________________________________________ LUG mailing list [EMAIL PROTECTED] http://kym.net/mailman/listinfo/lug %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
