madsaxon <[EMAIL PROTECTED]> to me: > >That page does not specifically address the "zip attachment" form at > >all, and to the extent that it does mention .ZIP extensions it (_quite_ > >incorrectly) implies that the virus' executable is simply packaged with > >such an extension. In fact, if it sends itself with a .ZIP extension, > >Mydoom sends itself as a proper zip archive that contains a "stored" > >(i.e. not compressed) copy of its executable. > > Two of the copies I've gotten have been proper .zip archives (with > .zip extension) which contained a UPX compressed executable, > many of whose ASCII strings were further obfuscated with ROT-13.
Dude, read what I said... ...if it sends itself with a .ZIP extension... That is, of the options it has for sending itself, if it chooses the the zip archive option... Keep up with the program! -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
