[PLUG] another virus
William Lee Irwin III
wli@holomorphy.com
Tue, 18 Sep 2001 12:57:50 -0700
On Tue, Sep 18, 2001 at 01:25:15PM -0500, Brent Meshier wrote:
> On the topic of virii, a week ago the SirCam32 started showing itself again
> (at least in my inbox). Now I'm averaging 50-80 emails a day (no joke)
> reading "I send you this file in order to have your advice". Is there a way
> for sendmail to filter all this crap out? I'm probably heavily targeted
> because of my email address is on PurdueOnline and therefore in many peoples
> caches. On the bright side, I could almost build a complete document
> library containing homework, notes and projects for every class offered at
> Purdue :) Someone mentioned there's a safe and easy way to view the
> infected files on Linux? Was it a hex editor?
I was curious myself one day and took time out to examine one of these
beasts. I was not enlightened.
objdump --disassemble works fine for various kinds of 'bloze
executables and DLL's, given that objdump is compiled with the (x86)
PECOFF etc. support. The use of hexedit, a UNIX hex editor, revealed
that one of these viruses was using data or code in a region of the
file not covered by the headers, and so rendered invisible to objdump.
Beyond that, it's just you, the Intel docs, and the machine code. Maybe
Micro$loth docs, too, as you might want to understand their syscalls.
Cheers,
Bill