First there is nothing in your analysis that excludes an embedded forth interpreter or code, second there are fingerprints for a tsr. Since it is an .exe and quite able to install one. Was there a search to eliminate the possibility? There is plenty of unanalyzed code and looking at the dissassembled code there are fingerprints of a tsr and forth in my opinion, I am waiting on Mydoom.2 for any other unseen exploits. Were the int calls examined for suspicious behavior? Looking at the tsr hex codes and forth formats there could definintely be activity there.
Your analysis does not seem complete or extensive enough to rule out anything. Jan Clairmont -----Original Message----- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 10:40 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Refuting tall-tales and stories about the Mydoom worms The document contains information and reverse engineering bits of the Mydoom worms, refuting claims and rumors about them with facts. It updates http://www.math.org.il/newworm-digest1.txt. Also, we provide proof within the document of the DDoS attack that many in the world now report does not happen. along with a time table for the attack. You can find our document at: http://www.math.org.il/mydoom-facts.txt Gadi Evron. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
