[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Which worm?

To: "bob sagart" <bobsagart500@xxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Which worm?
From: "John LaCour" <jlacour@xxxxxxxxxxxx>
Date: Tue, 13 Apr 2004 08:59:04 -0700

Hi Bob,

There are several variants of Agobot/Gaobot that are
propagating via the MyDoom/Novarg backdoor.

I've found that most of the samples I've captured
are damaged and won't run.  Try scanning them with the
RAV Antivirus online scanner.  It seems to do a good
job of identifying these things even the damaged ones.

Also, don't forget to delete the first 5 bytes off 
the capture to remove the file upload and execute 
handshake before scanning it.

-John

http://www.ravantivirus.com/scan/indexie.php




> From: bob sagart [mailto:bobsagart500@xxxxxxxxxxx] 
> Sent: Tuesday, April 13, 2004 4:53 AM
> 
> The other night I decided to see what traffic I could capture 
> on tcp port 
> 3127 (MyDoom backdoor) since I have been getting a lot of 
> connection attemps 
> showing up in my firewall logs.
> I got several dumps of the traffic using
> nc -l -p 3127 > out.dmp
> most of them are around 10-20kB which I thought was the about 
> the right size 
> of most of the worms and backdoors using that port. But one 
> of the dumps I 
> got was 150kB and I was just wondering if anyone could tell 
> me what I might 
> be?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Which worm?
Next by Date: [Full-Disclosure] Decode Messenger conversations from logs
Previous by thread: Re: [Full-Disclosure] Which worm?
Next by thread: RE: [Full-Disclosure] Which worm?
Index(es):
- Date
- Thread