00.tbz SUCCESS Options: OverwriteIf Access:
All
What is the sync-src-1.00.tbz file and why is it being copied to several directories? After
further inspection, it appears to be source code for some program. Hmm, that is suspicious;
why would the attacker want that source code placed all over the system, particularly
in user profile locations?
Chapter 20: Collecting Malware and Initial Analysis
515
PART V
Gray Hat Hacking: The Ethical Hacker??™s Handbook
516
Taking a look in that archive, we find inside the main.c file the following string:
???sync.c, v 0.1 2004/01.??? A quick check of Google reveals that these files are the source
code for the MyDoom virus.
You can also see in the source code an include of the massmail.h library. Since we don??™t
see any e-mail messaging API calls, it appears that our binary is not compiled from the
source; instead it contains the source as a payload.
That??™s really odd. Perhaps the attacker is trying to ensure that he is not the only one
with the source code of this MyDoom virus. Perhaps he thinks that by distributing it
with this second worm, it will make it harder for law enforcement agencies to trace the
code back to him.
Process Explorer
The Process Explorer tool is very useful in examining running processes.
Pages:
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895