Err, Pegasus Mail :) (a free POP3 client)
Seriously..! When I get some time I plan to add the exe and zip
filters to SpamPal, which is a free Windows-based anti-spam POP3
proxy that supports multiline regular expressions. It has some virus-
specific base-64 sigs, but does not currently have t
what are you using for attachment filters? my astaro attachment
filter is killing mydoom without one getting through.
lsi wrote:
Since the first MyDoom (which appeared almost six months ago, to the
day) I have been nice and snug behind my executable attachment
filter. And my zipfile attachmen
>>> "lsi" <[EMAIL PROTECTED]> 27/07/2004 11:14:20 >>>
> My current thoughts are something like this:
> U.*E.*s.*D.*B.*A.*o.*A.*A.*
> Still got newline prob though.
Careful -- that (corrected) regexp will overoptimistically match strings like: 'United
Arab Emirates branch seeks Data Base Administr
February 12, The Register (UK) - Nachi variant wipes MyDoom from PCs. A
new
variant of the Nachi worm which attempts to cleanse computers infected by
MyDoom and download Microsoft security patches to unprotected computers
arrived on the Internet Thursday, February 12. Nachi.B (also called
Welchi)
Hi all!
I've heard about a tool what disinfect the mydoomed system remotely.. do you
know about it anything?
B$
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
fire, and he'll be warm for a day; set a man on fire, and he'll
be warm for the rest of his life."
- Original Message -
From: "Bill Royds" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, February 08, 2004 10:26 AM
Su
An earlier message sent to the Full Disclosure list was a copy of the Mydoom virus
(since FD is not moderated).
It shows a little how this virus is propagating and one reason for its fast spread and
persistence.
By using email addresses in files and saved email and also generating random addres
On Tue, 27 Jan 2004 13:08:27 +0200
Tal Kelrich <[EMAIL PROTECTED]> wrote:
> I have 8 samples varying from 46200 to 60272
>
Sorry, that was a mistake, entirely bogus, please ignore.
Tal Kelrich
--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
Key Available at
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Nick FitzGerald
>
> Steve Wray <[EMAIL PROTECTED]> wrote:
>
[snip]
> > If a virus could spread slowly but stealthily, it could be all over
> > the planet and activated before any antivirus vendor became aware
> > of its presen
Steve Wray <[EMAIL PROTECTED]> wrote:
> Paul, your quoting is a bit off there (makes it look as if I wrote
> that),
> but to address the points, as one person wrote, its difficult to spread
> fast when you are trying to be stealthy; I would argue that if one is
> stealthy enough, one doesn't nee
Please allow me to clarify - I merely intended to indicate that I know
Dan to be a man of personal and professional integrity, no endorsement
of the practice was intended, sorry for any confusion.
On Jan 31, 2004, at 2:54 PM, Nick FitzGerald wrote:
Roland Dobbins <[EMAIL PROTECTED]> wrote:
I k
Hallo Steve,
* Steve Wray <[EMAIL PROTECTED]> [2004-01-31 23:00]:
> > You can always disassemble the virus, which is what people
> > will do if it's a real "popular" one such as MyDoom.
>
> IIRC there are viruses that are encrypted and are almost impossible
> to disassemble?
>
> Would that be
Roland Dobbins <[EMAIL PROTECTED]> wrote:
> I know Dan Spisak personally, and can vouch for his honesty and
> integrity.
And _you_ are???
It seems you largely missed the point.
...
Anyway, it is interesting to know that Cisco employs people who think
there is integrity in both publicly distr
On Sun, 01 Feb 2004 10:46:09 +1300, Steve Wray <[EMAIL PROTECTED]> said:
> but to address the points, as one person wrote, its difficult to spread
> fast when you are trying to be stealthy; I would argue that if one is
> stealthy enough, one doesn't need to spread fast since one is trying to
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Steve Wray
> Sent: Sunday, 1 February 2004 10:46 a.m.
> To: 'Paul Schmehl'; [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] MyDoom download info
>
&g
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Paul Schmehl
>
> --On Saturday, January 31, 2004 12:25 PM -0500
> [EMAIL PROTECTED]
> wrote:
>
> > On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray
> > <[EMAIL PROTECTED]> said:
> >
> > What worries me is we haven't seen *either* an actual damaging vir
--On Saturday, January 31, 2004 12:25 PM -0500 [EMAIL PROTECTED]
wrote:
On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray
<[EMAIL PROTECTED]> said:
What worries me is we haven't seen *either* an actual damaging virus
(imagine if the last 2 lines of Mydoom were "sleep(4hours); exec("format
c:);") or
> Somehow, I'd feel better about this claim if I had found key 0xFC9ABEE3
> on any of the 6 public key servers I tried. Bonus points for (a) having
> a signature other than your own on the key, (b) having signatures to
> connect it into the "strongly-connected set", and (c) knowing what the
> stro
On Fri, 30 Jan 2004 17:07:12 PST, Daniel Spisak said:
> from, let alone the fact that I PGP sign all my email to this list?
Somehow, I'd feel better about this claim if I had found key 0xFC9ABEE3
on any of the 6 public key servers I tried. Bonus points for (a) having
a signature other than your
On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray <[EMAIL PROTECTED]> said:
> I've often thought that none of the viruses so far encountered on the
> net are actually serious.
>
> What worries me are the viruses that have been around for a while
> and which have, so far, not been detected; these ar
I know Dan Spisak personally, and can vouch for his honesty and
integrity.
On Jan 30, 2004, at 4:38 PM, Scott Taylor wrote:
Am I the only one that found it to be a little bit shady that these
were
made available as executables? Is the "B" version posted somewhere as
just a plain zip? I don't se
> >It actually un-UPX-ed just fine for me. What version have you been trying?
>
> MyDoom.B as posted by someone else on this list. UPX -d doesn't work so you
> have to do it manually which shouldn't be a problem.
Oh, that clarifies it - I've just been looking at a copy of .A as it came to
me ama
> It's still UPX packed, but it won't unpack with "UPX -d" because the author
> used a simple UPX scrambler. Either undo what he did or unpack it manually
> and you'll see all the code.
It actually un-UPX-ed just fine for me. What version have you been trying?
It disassembled nicely after that.
> It's still UPX packed, but it won't unpack with "UPX -d" because the
author
> used a simple UPX scrambler. Either undo what he did or unpack it
manually
> and you'll see all the code.
It actually un-UPX-ed just fine for me. What version have you been trying?
MyDoom.B as posted by someone else
BTW, apparently there is a yet undiscovered bug in MyDoom.B code
that prevents it from spreading effectively. Much of the code is
encrypted, so dissecting processes sowly.
It's still UPX packed, but it won't unpack with "UPX -d" because the author
used a simple UPX scrambler. Either undo what he d
t; <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 31, 2004 5:58 AM
Subject: RE: [Full-Disclosure] MyDoom download info
> > > to successfully unpack the program. All they really needed to
> > > do was dump it from memory while it was runnin
Am I the only one that found it to be a little bit shady that these were
made available as executables? Is the "B" version posted somewhere as
just a plain zip? I don't seem to have already received my free copy in
the mail yet.
On Fri, 2004-01-30 at 12:17, Daniel Spisak wrote:
> http://www.nonmu
Ok, so because you happen to be on a security list, you are
automatically to be trusted? Do you remember the so-called
"ProFTPD-1.2.9rc2 remote exploit" from Oct 24, 2003? It was described
like this:
Ladies and gentlemen, here's the source code of the exploit for the
latest release of ProFTPD. This
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
If you had read the README-FIRST.TXT file you would know that the files
are self-extracting archives.
Secondly, wouldn't it be somewhere in the neighborhood of dumb to
massively idiotic for me to post virii examples that I have trojaned
with my own
> to successfully unpack the program. All they really needed to
> do was dump it from memory while it was running and they could've
analyzed
> it immediately with any disassembler.
Forgive me, I am no assembly hacker nor much of a programmer,
but would it be possible for a program to 'react' in som
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> first last
[snip]
> >
> >IIRC there are viruses that are encrypted and are almost impossible
> >to disassemble?
> >
> >Would that be true?
> >
>
> Sobig.F was packed with tElock. It's a PE file protector. It
> "encrypts" the p
> >IE: how do you know that the behavior you see in the lab reflects
> >behavior in
> >the real world? (I get a kind of 'schrodingers cat' deja vu).
>
> You can always disassemble the virus, which is what people
> will do if it's a real "popular" one such as MyDoom.
IIRC there are viruses that are
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> first last
>
> > Given that its possible for a program to detect that its
> > being run under a debugger,
> > wouldn't it be possible for a virus to behave differently in
> > the debug environment?
>
> Yes. But todays comput
Given that its possible for a program to detect that its being run under
a debugger,
wouldn't it be possible for a virus to behave differently in the debug
environment?
Yes. But todays computer viruses are very simple and very weak. Wait a few
years and they should be a lot more powerful.
[...]
I
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Daniel Spisak
>
> Hey guys,
>
> In the interest of saving my sanity and my inbox I am
> posting this to the list as I am just starting to get buried under
everyones
> emails for requesting the copies of the virii and I've got other
priorities th
-Original Message-
>
>Sorry Juari,
>
>> It appears that what I called sooner a BIOS BackDoor is more of a
>> Microsoft Windows exploit.
>
>.. but you've lost all credibility.
While I applaud Juari's efforts, there is a BIG difference between a Windows
exploit and alteration of the system
Sorry Juari,
> It appears that what I called sooner a BIOS BackDoor is more of a
> Microsoft Windows exploit.
.. but you've lost all credibility.
- Original Message -
>From: "Juari Bosnikovich" <[EMAIL PROTECTED]>
>To: "Frank Knobbe&quo
Hello WolfgangK ,
2004. január 29., 6:34:49, írtad:
Experience shows that programmers are quick to "improve" upon initial code,
modifying and releasing variants (note Sobig and now Mydoom.b -
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89494,00.html?SKC=news89494
).
On Thu, 29 Jan 2004, Frank Knobbe wrote:
> On Thu, 2004-01-29 at 03:14, Ferris, Robin wrote:
> > >It was also unknown that the virus infects the BIOS of the computer it
> > >infects by injecting a 624bytes backdoor written in FORTH which will open
> > >port tcp when Mydoom will be executed AFTER
On Thu, 2004-01-29 at 14:45, Juari Bosnikovich wrote:
> It appears that what I called sooner a BIOS BackDoor is more of a
> Microsoft Windows exploit. When the infected machine boots for the
> SECOND
> time AFTER febuary 12 it is injecting a malicious program in the
> Windows
> installation that do
On Tue, 27 Jan 2004 10:10:39 -
"Ferris, Robin" <[EMAIL PROTECTED]> wrote:
> Does any one know what the size of the attachment is when is comes in as a
> zip file?
I have 8 samples varying from 46200 to 60272
--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA6
Frank Knobbe wrote:
On Thu, 2004-01-29 at 03:14, Ferris, Robin wrote:
It was also unknown that the virus infects the BIOS of the computer it
infects by injecting a 624bytes backdoor written in FORTH which will open
port tcp when Mydoom will be executed AFTER febuary 12.
Although code in BIOS cou
On Thu, 2004-01-29 at 12:09, Ben Nelson wrote:
> > Although code in BIOS could interact with your network card, it would
> > require the correct driver routines for your particular card. Does the
> > virus come with network card drivers for a variety of cards? No? Then
> > BIOS code won't open a TC
On Thu, 2004-01-29 at 03:14, Ferris, Robin wrote:
> >It was also unknown that the virus infects the BIOS of the computer it
> >infects by injecting a 624bytes backdoor written in FORTH which will open
> >port tcp when Mydoom will be executed AFTER febuary 12.
Although code in BIOS could interact w
Hi,
> That'd be an interesting defense. Has anyone tried renaming
> their incoming MX machine so that it includes one of these strings?
I think all email addresses which contain the unwanted strings are
filtered out before asking for the mx host for a specific domain - so
this defense wont work.
> "WolfgangK" == WolfgangK <[EMAIL PROTECTED]> writes:
WolfgangK> acketst, arin., avp, berkeley, borlan, bsd, example, fido,
WolfgangK> foo., fsf., gnu, google, .gov, gov., hotmail, iana,
WolfgangK> ibm.com, icrosof, ietf, inpris, isc.o, isi.e, kernel,
WolfgangK> linux, math, .mil, mit.e, moz
> 2. It would be difficult for a malicious programmer, cyber terrorists or
> cyber activists to target a specific environment and protect others ( Eg.,
> launch denial of service against SCO.com because I like LINUX and dont like
> SCO legal actions. Protect my computer at Berkley.edu because I
8:03
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] MyDoom Email targets
At 09:26 AM 1/27/2004 -0800, Scott Manley wrote:
>I've noticed I'm getting a load of messages to my catch all domains with
>addresses like [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] - it's
From: "Ferris, Robin" <[EMAIL PROTECTED]>
Date sent: Tue, 27 Jan 2004 10:10:39 -
> Does any one know what the size of the attachment is when is comes in as a
> zip file?
About the same size, 22, 23K. Actually, the zip file is ever so slightly larger,
since
th
"Remko Lodder" <[EMAIL PROTECTED]> to me:
> even if it was a prefixed size.
> one 'creative CRACKER or other lame person' would change
> the virus with a single bit which makes it a bit larger,
> and all the previous detects are USELESS , eventhough it
> perhaps has the same sig as before
Did you
madsaxon <[EMAIL PROTECTED]> to me:
> >That page does not specifically address the "zip attachment" form at
> >all, and to the extent that it does mention .ZIP extensions it (_quite_
> >incorrectly) implies that the virus' executable is simply packaged with
> >such an extension. In fact, if it se
> And, as I explained earlier, even the size of the .EXE can vary, adding
> yet another inconstancy to the equation.
There is one consistancy that may help people build mail filters. The virus
codes the zip attachment as a mime type of application / octet-stream
(without the spaces) instead of ap
Vlad Galu <[EMAIL PROTECTED]> wrote:
> "Ferris, Robin" <[EMAIL PROTECTED]> writes:
> |
> |Does any one know what the size of the attachment is when is comes in
> |as a zip file?
>
> It's the /.
Admit it -- you're just guessing!
Mydoom makes its zip form by gluing together a .ZIP header f
DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Nick
FitzGerald
Verzonden: dinsdag 27 januari 2004 23:09
Aan: [EMAIL PROTECTED]
Onderwerp: Re: [Full-Disclosure] Mydoom
Vlad Ga
At 10:08 AM 1/28/2004 +1300, Nick FitzGerald wrote:
That page does not specifically address the "zip attachment" form at
all, and to the extent that it does mention .ZIP extensions it (_quite_
incorrectly) implies that the virus' executable is simply packaged with
such an extension. In fact, if i
<[EMAIL PROTECTED]> wrote:
> 22,528 bytes
No -- as I explained in my reply, and others have posted empirical data
backing up the claim, the size of the zip attachment form varies
depending on the length of the filename within the archive.
> More details at:
> http://securityresponse.symantec.
Yes I've been seeing a LOT of that as well, and I believe it is an attempt
to mess up the blacklist spamtrap addresses such as the ones that spamcop
uses. The worm appears to generate a bunch of very common named email
addresses all on it's own.
Geo.
-Original Message-
I've noticed I'm g
> "Scott" == Scott Manley <[EMAIL PROTECTED]> writes:
Scott> I've noticed I'm getting a load of messages to my catch all domains
Scott> with addresses like [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -
it's highly
Scott> unlikely that this would be part of anyone's address book - is
At 09:26 AM 1/27/2004 -0800, Scott Manley wrote:
I've noticed I'm getting a load of messages to my catch all domains with
addresses like [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] - it's highly unlikely that
this would be part of anyone's address book - is there some mechanism in
the
"Ferris, Robin" <[EMAIL PROTECTED]> writes:
|Hi
|
|Does any one know what the size of the attachment is when is comes in
|as a zip file?
It's the /.
|
|TIA
|
|RF
|
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, a
On Tue, 27 Jan 2004, Ferris, Robin <[EMAIL PROTECTED]> wrote:
> Does any one know what the size of the attachment is when is comes in as
> a zip file?
So far the ZIP ones I've seen (thousands) are all between 22640 and 22798
bytes inclusive.
--
Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN
Other
Title: Message
22,528
bytes
More
details at:
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
Joe Klein
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ferris,
RobinSent: Tuesday, January 27, 2004 5:11 AMTo:
"Ferris, Robin" <[EMAIL PROTECTED]> wrote:
> Does any one know what the size of the attachment is when is comes in as a
> zip file?
Yes and no.
Or, more helpfully, it is not a fixed size.
The size of the .ZIP depends on the length of the randomly selected
filename that the sending instance of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Robin,
so I have few files ;-]
- -rw-r--r-- 1 thorolf wheel 22642 Jan 27 11:31 /tmp/file.zip
- -rw-r--r-- 1 thorolf wheel 22798 Jan 27 11:49 /tmp/document.zip
- -rw-r--r-- 1 thorolf wheel 22528 Jan 27 12:01 /tmp/file.pif
- -rw-r--r-- 1
64 matches
Mail list logo