[Full-Disclosure] mydoom.exe decyphering?
danny at ricin.com
Sat Jan 31 02:10:25 GMT 2004
(sync-1.01; andy; I'm just doing my job, nothing personal, sorry)
OK, this can readily be deducted somewhat from the mydoom.exe but not
entirely. Ironically aladdin systems can find itself back in the worm's
'strings' output... a part of it is compressed with stuffit.
[download MyDoomB, cut out the StuffIt part, unstuff it and cut out the
(3rd/last) data part (use tail or so). Then hexdump -C that one again]
Here's the part with the text (use fixed font in your mail client):
HEX ff 87 22 92 00 0a 0a 28 73 79 6e 63 2d 31 2e fd
ASCII * * 32 * 0 10 10 40 115 121 110 99 45 49 46 *
SYMBOL * * " * * * * ( s y n c - 1 . *
HEX ff 6f ff 30 31 3b 20 61 6e 64 79 5 49 27 6d 20
ASCII * 111 * 48 49 59 32 97 110 100 121 5 73 39 109 32
SYMBOL * o * 0 1 ; a n d y * I ' m
HEX 6a 75 73 74 20 64 6f 69 6e 67 20 6d 79 6b ff ef
ASCII 106 117 115 116 32 100 111 105 110 103 32 109 121 107 * *
SYMBOL j u s t d o i n g m y k * *
HEX bf 0d 6f 62 2c 20 6e 6f 74 68 0f 70 65 72 73 6f
ASCII * 13 111 98 44 32 110 111 116 104 15 112 101 114 115 111
SYMBOL * * o b , n o t h * p e r s o
HEX 6e 61 6c 11 06 a6 fb ae 7d 72 72 79 29 42 47 40
ASCII 110 97 108 17 6 * * * 125 114 114 121 41 66 71 64
SYMBOL n a l * * * * * } r r y ) B G @
So: (sync-1...o.01; andy.I'm just doing myk....ob, noth.personal.....}rry)
A few observations:
- 'noth*' seems to get its 'ing ' part from the token 'doing '
- likewise ' just' must be the inspiration for ' job' replacing the ' j' with
'k****' where * are non ascii. Note that ' just' fits into '****' and j=k-1
- '*****}rry' should translate to ' sorry' or (sophos) ', sorry'
- is it sync-1.01 or perhaps sync-1.1.p01 or so, anyone has any idea what this
sync is anyway
- if BG@ at the end could in some way end up being 'BEGIN' we have an
uuencoded remainder which would have to be 'decrypted' first.
- how did sophos fill in the blanks, or did they
One would think the entire data chunk would be encrypted or encoded or
whatever you want to call it in the same manner (something like uuenc/decode
can be used to have binary data be changed and obfuscated as text and
restored to binary through a 1 on 1 (de)obfuscation, right?).
Any thoughts? Is this a known algorithm that I'm not aware of for unicode
compressing or something alike? How do other people investigate a binary? (I
look at hexdumps, strings, output of 'file', magic numbers/strings...)
Let me dare say something I'm going to regret (heck this list is full of
flamethrowers anyway ;-) To be honest, I have an unpleasant feeling that this
whole thing might be staged. It's so suggestive. But I lack the skill to look
further and don't passionately care enough either. Yet, this is one
interesting thing with the whole MS and SCO background.
Please note, I use FreeBSD exclusively, not Windows, but was bored and got
interested, and I'm wondering if anyone has done any research or
experimenting on this. I've looked at them on my FreeBSD desktop box. I'm not
familiar with Windows code other than looking at some worm and noticing that
it has smtp code or so. The things with archives within executables holding
executables and even with a Mac archiving package being used, uhhmm I'll pass
on that and just assume that that's all normal and doable out there over the
Hope you don't blame me for trying to have some interesting discussion. No
matter what your skill level, it sure beats the ever present pissing
--Dan (normally lurker with habitual attraction to DEL key)
Full-Disclosure is hosted and sponsored by Secunia.