Nicolas Brulez posted a reply on alt.comp.security and comp.security.misc:
http://groups.google.com/groups?selm...&output=gplain

Gadi Evron.

On Thu, 29 Jan 2004, Gadi Evron <ge@linuxbox.org> wrote:
ROT13?

well, I have one msg body that is ~2k. It looks to me like binary data, not
ROT13. Here's a small sample, from the beginning of one body:
Àz?÷�ùܵÚÒþÛ˜wñžhgi¸ß*Æå

which is:
c0 7a 3f f7 90 f9 dc b5 da d2 fe db 98 77 f1 9e ...

maybe a programming error allows an index to point past an array of
strings. But then again, another starts off differently:
¶ ™-ô¹z`*$Á…óÌö°Ý‰öÓiæÄ�“'}Øïh*C_ð!´J…<36*¿Á/ô¯ Ì)ö‰8-9’t
´ÆÓس%}\¡îkÜ¡võ„l(Nñˆl…

in addition, of the four of these that I have (they do resemble taiwan spam

they came in pairs. I.e., each member of the pair was identical to the
other, and had the same timestamp. And they all originated from dialin.net.
If the infected computer is on dialup, it might have been the same one
during two different sessions.

<s&w@none.none> wrote in message
news:20040128233122.3DC47FA869@bingo.bananasplit.i nfo...
On Thu, 29 Jan 2004, Gadi Evron <ge@linuxbox.org> wrote:
The actual virus is 22.5KB. Also, it's compressed with UPX so the raw ROT-13
won't be available until you decompress it. Nicolas' script makes converting
it dead easy!

-Tim

On Thu, 29 Jan 2004 00:34:21 +0200, Gadi Evron <ge@linuxbox.org>
wrote:


Hmm, I think we are not talking about the same thing. I therefore
thought it's best to show some raw text of an example of the e-mail.
The message text part - not the binary attachement - is what I'm
talking about and in all other variants the message text in fact
contains the strings as seen in the disasembly. I do more tend to
agree with another poster here that the worm - either intentionally or
due to a bug - uses some parts of itself as text which gives the
apearance. Note that there are different variants of this floating
around. I'm basically searching for some easy to catch pattern for
this thing...

Markus

<----- cut here ------>

Return-Path: <xxxxx@xxxxxxxx.com> <- I munged this address
Received: from pirinenc.com ([81.44.90.119])
by nct.ch ([192.168.174.25]) with ESMTP
id 000044d0-16-021bd7c4; Thu, 29 Jan 2004 08:28:25 +0100
From: xxxxx@xxxxxxxx.com
To: m.zingg@nct.ch
Subject: Mail Delivery System
Date: Thu, 29 Jan 2004 08:27:26 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0004_9A71E5F3.39963C16"
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0004_9A71E5F3.39963C16
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Š(›4ƒ›\?f
½²&ù»Ü…heªjJº3q#¦ÅûÆl²†–IÍÆr‚
š“o.ÁѤ¯}JÙq¿Bei®©–Žëü
°qï4ÝRÚ
öV:ñuVk½ð½l?*÷hç8ųºAik¤ùµš'e5æ°ï4x(·ø|’ϸ0¸q(¹e¼. ^Ëv|å
×&Y¹åK“?èè’òŒ‚3tµ¢10“¨?;ÐŽ3ð1PÜU¼%†y´Ve/ºÒ_XAG$ÒÂNJ7µî¹DT‘ßÀ)YŽ´V½aC¬^I·/yˆ<74ª›á\¿‘ÞÜZ*îH“PyR{ð¾–‡|\Ý_uçA_rd³û?z]‰h“
ñèŸÍúÚ[l·¸?¬IÝT’ZÂq£Êh&\{'Ù`žTÛW1?¿©\‚#tÀZ5ty¥ACóžÏÎYÂßK¨ ƒßý[fЃ!”W?´„õÝ͹?NÌ~±p?ÓïëX3§z¾fîøP`¬!ceä¡mi‚Î^N¼Ë‰ßž B¢â[?™ÉSêŠõ‹y¤ÊŽu*dõCÞ»©Ñ×SšNܼQŽé?Yô5—LrD_w~¨m®Ýc
*ê£OÇ\àÙ“¦H NÊoKñ¸’•Î°¬¨PÔÂ*ZÞ|áÏÖ½`”;/¾µ>¥,1¥•ìÇãƒdZ]h£?—¸
Àc?!YRáŒ^ܲ¬†aÇŒí¸grF
š(êgăƒ ܯ§-òñ‰MKó{ž>"*EU…Ë×Ak”ˆ—Û¾Ûvmˆ?ÔR^’™Ñøo³:Yѽ»‰¨÷,(œ.$ “Œ‘ñå|
´_
žÚ¹?nÆ”ÓFÏ5Öô£/DÔŒGºw?í5é¢vª°ÄAjPEkøÏ“9»¢fÙV%fÛÎÛ8ÔïU›¿ä2ü¹q´2†
ßÏË×1ßZy°ùŸ|uÚª>a˜¬9}???û¬?Ð*ûÆûf›5wÝLá…Ôï*¾5
‚Ïb/.qˆ¡ìÓ*î–XüÐ:'—½IÀ¥ì†$„éŒMgÏS9Qx6y¡
RÊ°Ž?¹
â“J*øí›ØA$¾7ƒõÐñÛÙé°©IÓÔÎa-?Û8×3Ú%NßnÙ|Ò[ãö[”*Ú*…7îFöÄ<¦ò¿ã
(Ü{«,"2âüq½½PXGàl*ƒ¶š
†³Ág5ðeŒÛÑ!#éuº*.coGÄÓ\ñ[*#ÜäÊf(sŠ¶®ªPá#I„¾ó¾÷„СNRÆN¸;ËKé
:ü†Iñûô–ed°öY*éêËÆQÂö&H~??En‡Ž{вvàˆ)»®ŸXä¾/gĵ£ÍTø-?ßÌø¿·.™,%7¢Æi™sôU¦§µnitxÌM2AΈ
-É:jB¸`:•??9Ro\À*ZâmUJ9º¥¡ÎÔ³GáàÖÝ04ÀÁU!qVŒ¦
¾´*ANî„i´#´ž¦û(¿½å|*÷”nD5~cö¼]á,¶°¦°9Lêý"¢mv¹0?-Â`RötòA"3XŹ?kaÃV³âÇ|ÑFÀH*&\i*x‹¦R©ê
^Jl´?¼¹˜Â;m(Ô‹'jŽâ<fÒ9ö/4
*Í#~#¨wfËßPKjDšO*ª&Xék*’
–âÀéÎñd‘Ðzxê—Ñ8ŽÒã⯢ý“¦Ôïâ2ě֥Jeð
?l‡Qe¸f½„û iM-‚Y}êY±¹žŸN2vR2аÂÊlVOGâu*Í<hßí£(PëV%*%ÂzøÕàÜG*Î
—¡~•'‡;Ó%fFwjê“›?úàüY©}
ZÄ”6¢(q
9°Œ(GYLV7ã˜ÌrˆôÐÅcFV׎“69øáѤ1Æ^TÀö–Y»É#
j÷!E¬ÀiG¢Xâ1;„׆rM”/ÇnÖÕB*åvw¹$^hD¿ëøc¾vd;ùk«h”Órü
×ÍP ¨qk?µ>¼
L…Л¯ºk¾ïÈ%®Ù^{Ó‰°‰6×ÇBm°¥¤ò§•"W
›Ë«æ"Ãx¯w|'Dó™W®É“í
ºsþûë]á¡;ª›ÜÐöÛb)Ghdߣï?3I6`°ö±2iíFŽ¹'Q¬Ç\(3H?°î}ÍjÚ??ŒÁ $<Ô*d|ѨÉèg¾/?Mû#©Ï®w&ßM\þà?ôXÞt“è&Àß?pº¦±{¸MZ[üâÍ;'øæx
&YFè´v£¸úÀ^ð"QËŠlð%¢†ðw}y“$¤Î¯ƒÑ{BÏ‘·¥µ¥
ó[^ÝÄk‚{¿qUp‚×cž¬RiѱµOÅÝã&:©ÚQ˜s
(z-RÙ*ÝL!,¾t>mÖ¿'˜x§kŒqƒýò*ÀLvd0<¥ó}ÚŒø?Üy~5mèº:ÂnëBÜ ú1•(l"˜"‡‰Ú^‘
l?(?þ©ƒ›å¿“b(Lž?°??SÊȨ̀–óD?VDæa,Õm*p;(a
̇…2Gæ<à¯FêU¸Lò†üß
71ˆØdï¾Þ7$?g(Ä-ƒš¤®¯7»®ç²~.0«…nPýv鸖iÄÓ<kè”R4®ÑÊ‹Ê*ºãÌ•Óªº‚»Eºpš Ÿ;\0Â'5;”tUæ
ä-ÊhÄQ´
ò˜Op~Ž¤Å
뢲>A©ã¡Šin«X„ú?È–¨§ÎÀÈ¥w|#ßæ©$W‹(Pu§
N„W‘ápL2œ `Úȶ™~ªX±ÔNbC%äÜÞ÷3:ò&`e
´l/Ö™%r¾ZŽì(ÞEü!I??Eg·›si¯gÛ3HRðs{E9˜_·†N˜W?ÀK¢å©ê*ºŽ ðqBÎQº¾_\EâAeµÀÒô8¡rAô|QÌlïä»ÅoSç„Þ¾#X¢‰õ‘.
&ä!|i¹ ‡JÏ.–}Ûφú/ë{{ìÂçVY
x?ûŠQ¯K?ú?9Ì ‘~˜»;ã*?gW…0ßóp:¿[îpŒ2{T
§è^UÃÜäþFÀ×aÃ*ÅIp0j?H‰SHÁ‡†oàüöãî8X‰q:¡Ö`Vˆ†?d8–RD –5q-2…Ç)Ÿ3PTŠmæaÉ9¿½Í4I]ü®w˳J즿?ƒì¤Æ
{YÃx•Ha?|c`·|¬‰'`ìAiqnaR{d
/”:c6mäÄ(EÄl“Æ„Ž¥èB•¦1s®úǘÌ^ÏÁñ…òçùcY7^Š·4a„8|1•³è (1?wj×îdFÊ1$â„X\èçT¨}Ú`
*|sr䓲T(?ºq¨Ç;•¹ÊÎI86³#ÉÙ§&pÕâé


------=_NextPart_000_0004_9A71E5F3.39963C16
Content-Type: application/octet-stream;
name="doc.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="doc.zip"

<----- cut here ------>

Note, below here follows the real payload of the worm, so what you see
above is the TEXT area of the mail.

Hope this cleared things up...

Markus

On Thu, 29 Jan 2004, "Tim H." <tekphobia@comcast.net> wrote:
What we have here is a failure to communicate, even after repeated clear
attempts by myself and M. Zingg. Perhaps others feel that their knowledge
is so superior that they don't have to listen, only expound. Perhaps
related to why this group was trimmed from the original newsgroups by
somebody. But then you miss out on some curious info.

WE ARE TALKING ABOUT THE MSG BODY. Not the attached worm.

Well, pardon what seems like an angry outburst. The content is real but the
tone is in fun

But one more time: instead of the msg body saying something like, "The
message contains Unicode characters...", it instead has ~2k of seeming
nonsensical characters. This, together with the fact that mine came in
pairs, makes me think it is a slipup in the coding.

From looking at the headers, in all cases where it arrived here in
pairs so far went back to the fact that the worm was sent to the
backup MX and the master MX entry of our domain. I figure that's the
reason but of course could be wrong. I otherwise agree thogh that it
COULD be binary information from either the worm code itself or from
anyhwere else in the process space of the infected machine. Again, my
limited knownleage of asian languages don't allow to judge wether it
might be some real text or if it's really just garbage. I also would
be highly interested to know if there are repeated and ending patterns
used or (worst case) if it's really just random data.

Markus

On Thu, 29 Jan 2004, Markus Zingg <m.zingg@nct.ch> wrote:
well, now that I look more closely, most or all have arrived in pairs. The
receiving MX, though, is the same for each member of the pair. I've seen
discussion somewhere about the worm guessing the prefix for the MX name
(e.g., mail.xyz.net) but in my case the prefix is very uncommon, so it must
be doing real lookups for MX records.

also, fwiw, here are pastings of my two (just simply copied from the mail
viewer). When I created a file and ran a disassembler on it, nothing real
turned up - which would be the case, not knowing the offset.

case 1

Àz?÷�ùܵÚÒþÛ˜wñžhgi¸ß*Æå
ûɨ
zB6�`›µ÷½nLo‚'ÆŠþ6êfƒfg†$¹�TÊÀ£%0f±ŒœïÏ�ëò!Œ3‰Û“Œí Dà”hí
,kiäü™é1õ"\–�\Ö5_ë3y*¶¤ª»¿ð••Bi„·ï2à&ÅÜrÃnÅNÔç|b Œ(JjdÔ*·Êhj}vн[åøHWÝúÓÚx
,�$«ÕBåц;¤$ùI/£[_f…÷Ò#]]xA�ŒÁW…¢
ˆÇ&�DÉCÍœg†V'_$8̶dÓ†^aÔ6ø-Ì‹s—�!Ë%Qû‘¿QŽNrL
Ä?׃ïÕ/„ù¹,�5°î«âyffœ¼‘öŸC52ÚâøH*)jÍ5ÌhãØ‹Ú�jÉŸCOnþ½*낲– ÑÛÄ‘EEŽ9”…Â
šFÕEh_ËžüCóYpûÜÚS‰�¸…GìuèSH
K.Zf’‚ˆG{ÇñÁÇwcÁP¶¤bœ{wb—^×'InÜ¡âÀ¼ùŸ*ôéVe?A
”Xª�ƒZ‰ªüñB?çeÞÔ“`[WðÚнoÒµ]ÐóÀÙBoJý‰1w‡�ûŠÄùQ—¼Sn�î°¢;é3úÒó“*Hæ*™¶uÇ]õÒ-·‘
C’GL¢!æ¦/¿ýs>ŽGçb”©½.¤ßâ»Õð{¬"ê©Úò4a’Þ�Ö„°eÉôÒ3VV>¯^ÙG(HQÆV ¾µ˜Ñ.¡G˜B¬‰‹¯Uì¨
½Ýé
(ÁÌf«5â¦^µ{ø
&Ù7
EÁð»w.¡
z*bµ¹Ã84¶.gžgQ䆎®pŠ(…gT©Ì5[uû²%‰±„ÀîȉÞqCP3ÄéÐ>¿
›ÇGéä,¤zC½?:Z-S¦à£ðo˜øó÷{'ßÐú…l:�ô"LU
'5´§ÃÅEþès<ͺe´(ãþð6~þÆ$w;|o™`ò½I,ï«&n*¹ò[´²2ýzŒ{™²o[òJ·?ºî›ÃÓÁ!ó†ø;©Š
ä
Â[b;»~Þ‹rbn
–º¾Ð|n)'\
5ܵªcBŠ§U'ËYÈ;sáÞ�ˆñóS5óCZy?d™K9‚c Ëé"~áÃU‘ì�¾©_éä¸3|�Öeý_%ãâüçŽ"Tq¢¥
äì7ÞšæjI6ƒ™ef6Æõ¹~*�ÒƒµÇß÷êö¢La6-ÓÄ®aEtÈ~›M7PâWˆÅ©
Õfn k5{ý>]ðçÙ‡Ô~ó½&À×׳†æ¥Eê4âÇlS¸ê‰WS\“*n"�Ë8¼r~]ìÏ×ý^bIÜã¸h
o!‡ÖÕÄ¡âþVc2Žsš<_Oôûw“
‡¿õ*׈u÷ì§Âñ³ÁÃr)üßfC²ûAE]Ž–µbm:%!7sUð1T$Ùê}3N!Ç—Í[êkÉ�òzÆ[½ÅßñAwÓI‹Ë*Ñ÷-Ov
*›iÍ
"ØI?x'dX#ÙïI¹žË;IZ<³Ür;~0t£úV5Á6iw÷k§!ˆ�åSûÝ04ƒbï& HÈ2—Ž
¦©»Ýt\MOŠ™Ÿ±Ò;`ß>\òµøæ¡é)êKFJɩ̾A„PSÑ]mèùÎ2
ï„”¸•FU™Ý6èÀxì‡hÏÁ4g0e°c1ÙÔt
‘”M´RHj(ûÎå »ÐE÷6ò*|ãÅq�¬\^Ô�aôr”|ì:nB™Ë2«´·1ý½’å‰^Ô�†\?,ÃêkHP E²�]íñ-ýJY
òɃMцlóþ|ó”[lrY2.ålé¥Ã1h_ïA
XN™›ê|«áNvkb©'êp´
eC2ÀÐ;5çf…þ–¸Ë_æbTË¥azh&ê~rÄÅ(ì/Œx¹6·±k4ÃVIÔ4ofŠÏ™NгúèŠý§ÔxJåö#ƽ…Ü|f9Í5µ
Jß>YŽä|¥[û&M~ÆeïC¤—xU_é)êF£ê/>ÍGf·?•BÈþÆÛ…)è*‹1Y*iR¥�g‡¢fOïÛOì*[¤â×<‚{Æùµ%¢
k®`�2¤P7UJËÎç0–vèQVtjFHŠL9ys†)*þ¶
1ô
ZcWJÏüóÁÒˆWs–ñ½íâ/ÏYf�Ñ*ü¬‚vÆLÑŽBò
O±S,̨3Dz˜\QXÊ‹NŸÛ�ñŒr…Ø!(½ÁÇíü·¬Ú£¾C$?¼!™h&ðÒßm¯í DLËLäîð‹÷ÃÆ‹�y5o©ýÂ�“1
¹‡0¾¹…»„ŽŽÄâ�ýýd�°4Û£ËW•äxåavÀ}/YK£°8é)¦‡W_Ý¿ŸüÜ_ðk7Œ*»ç)úÕÛPÈX’éëô\Tð
·±–5£ÍÞvª‚ç‹¿}
u`‡¾.mùàtXU¬èX¼É�èwåSEq/�óºÛK7¥ú¦'CêpŸúáóasúø¹‘|FoË©Ú/þ¬-^·ýåæ$Îyf9qÌÙd‚D½;
ëWßÕ
7vzî£óI^Ñ™á°*3ª¢ÀÞãJK"ï…
�óЈ�ëÈ/jjö[c±û—¥2/Ô¾šþƒu°ˆÈØÉ2)¼«ddŠñKHœ'áõË6™Ä߉ý$
5éÛ;^T‚ÜñŽÊyxYKZYç<-ª(Šœ²Fð(MÅŽ
N/j†ÀV¥_G,awãôh®æ÷EÆ|n¼hÝeë
ÆwjŠò°&îMš&}'(ô”#ý/ª¯j)ù½Í¢Es´Ý®�’YX*œ9ìÙNÄ„pÓb[æ¯ð1”Ñ�/>nù4«øtqpÁiKz;kr³Öð
CçLõAORh*c,.
—Å¡XV�”)QíY•eš¸
õÍŽ2TQ§\]/kÊõM"á‰I»«…r'EÝÞP°Ã¹‰t‹e�Ç4ÖåèÚÖ[n5K …Š’˜�‘î3²gT¤>‡‡°ñà P

===================

case 2

¶ ™-ô¹z`*$Á…óÌö°Ý‰öÓiæÄ�“'}Øïh*C_ð!´J…<36*¿Á/ô¯ Ì)ö‰8-9’t
´ÆÓس%}\¡îkÜ¡võ„l(Nñˆl…
¤¢ir¯´×'&Yx‚W�]ûÌÞöó¦•ð*·vbpþm¬ã‚
_¥Ä¤Åš‚Á³ðG¼V`¤ý…þ±Ò
Bü¿áQ!B0»9¾4bFOYyü!|¾Ož§–{…‚‘JÑ�;KJ‘hÒUëMQø>™À¼M6� `F̯¦º?QÜèiMÉð–ÝÛ1~×M«?)/
�·lídÀ°õ½»È�÷\-Ö/h#ƒOŒ^’«ï†¡WËçÎ[IÏÛ3|áwѲšñ>…^gsûò-ÈVÈAXy]ÖcGíppDUëNe$\™i;
“ëÀO§
[N .sÜ|Õr8„2“äµÌpyDd�R8>¦>ÚÁ5gp#Ú�Ô�Š*ó¥Ì°÷{EŒÉL®
^8Õzá%�m0köãd‚†Ú}Íú÷îXL¡õ¾å¤�]ÐQQÖ<ûd‘ý{‹8<|Q¯ÖÝGš±è×?ÎÄ¥v7›/j
\ú7j²RCj1y�Ö)Wj
~¿özìÖ�—ƒ#áÈXÙBöÄó8ëÛ‰¸“Ô¸›š‹ÐüëÎTXÒ®ò¾Í*0ç[‰ìÓzˆ7«k„VÄ¢´]¢ô’¡ðdÚñáÑpð^®lä]
�þ`˜Çþó³VžwÕn3Ÿ5»¿C1õ—á‘£dáZÆ4×Y?—*Éß×Æx:dË¥ˆ„�±Ì¶
��á
ß“]Íé\F©*è_…ðǘ¶¼…ø(H‹£ZÄ�dª‰‘Ûu¼h˜>Sw`“„ã’M£^qÔ·£MLí Ú
Re¿ÛF±½�;h)\ƒÒüÝéÇùÚJ*ࣔERq!ðð„`w{µ
¤9—bŹ,¯
JO<R3C$¤%#kJºu7ž“;Ù;}CÂ)Q²/ÐnUÏé÷8h÷Øç¥0gzÈ"Ôƈ3]‘¤ô›´7xL¶ßVçÊm:%õv
È“GHËóƒzO�¹Æ&WÀL‰¬Í3Žf2Õl°hŽ:yˆý*{½TÙ^0,�3ú`ÀnÁeǵ ’ª¦�Á²ðgáèÄ›ÔS&¹²øŸ¨Óý»1X
/‹�¡{"©ÖwÊTÛû–î�R\l_pG¨&«Ú‚š}cB¤ÅjU¨k>ß9O›¤zåƒW
èÒl«”W}ß3ÌR|ª‹„`"¥*æ*Ã<
YáÀÙâ)ìr&\’GÁQøˆ„q[¹ô:h1ʾÃ�r#ƒ|Ž#²£rŒÏ¸§¿M¹j3á©¥þcóøëy�B2<Jnãç*S»Qi; ýì~J!‹
f‹{(E7*¹õ©¤,-^.ÀÇ„¸,o·½ñvÆ.Jh!pÙÛ“ýmX¬ã?ûÔA—ùîë,om*o$_Õ‚v$|%609 Á
u
ûBž¢U†ýtMû6
z‡:�¬7GÝ
^H¥q}½ú_cñêN*³ìŒÅÍBH_,–º«þ„ÏH·³^4y÷>‘Û‰CìZMa-�ö¾¨ŽïÄ3£Æ£Š;(>XGq¬TÕ’Dü‹×ßEÌs
q,©1
¹<vÉ5¡ò¡ÄÐ�¡*…¨´•®Í«Ö–Ý‘‡Ÿ_åiÆÎJðɬ
Ûî…{œû~Fòð\uç‰ù:^v¡NEvíª3À&‚ÊÏ`‚û£Í
|ßíçJK”9!Ræ’1Du„$Ý®î

so sorry, the M2N mangled it, as seen below

On 29 Jan 2004, s&w@none.none wrote: