conf
file if you like.
What Have We Discovered?
It appears that the binary we captured was indeed a form of malware called a worm. The
malware has been classified by the virus companies as the first of the Doomjuice family
of worms (Doomjuice.A). The purpose of the worm appears to be to connect to already
infected MyDoom victims. First, it creates a mutex to ensure that only one copy of the
malware runs at a time. Next, it protects itself by making a registry entry for reboots.
Then it drops a copy of the source code for the MyDoom virus in several locations on the
system. Next, the worm begins a methodical scan to look for other infected MyDoom
victims (which listen on port TCP 3127).
CAUTION Without reverse engineering, you are not able to determine all the
functionality of the binary. In this case, as can be confirmed on Google, it turns
out there is a built-in denial-of-service attack on microsoft.com but we were
not able to discover it with static and live analysis alone. The DoS attack is
only triggered in certain situations.
References
www.grayhathackingbook.com
Lenny Zeltser??™s famous paper www.zeltser.com/reverse-malware-paper/
PEiD Tool http://peid.has.it/
PE Tools www.uinc.ru
UPX http://upx.
Pages:
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900