Showing posts from December, 2006

Malware With a Twist

For the last couple days I've been playing with a sample of " Big Yellow ", worm that exploits a vulnerability in Symantec Antivirus to spread (yes, SAV actually listens on a network port--2967--to receive commands from some sort of central server. I was horrified too). I got interested in it after a warning was posted on the Internet Storm Center . Since the warning helpfully included the MD5 of the executable (f538d2c73c7bc7ad084deb8429bd41ef), I just went over to Offensive Computing and grabbed a copy for myself. Feel free to do the same in the discussion that follows, but be safe--don't do analysis on a machine connected to a network, and take some steps like renaming the executable to something that won't run when you double-click it. To start with, a lot of basic tools barf when run against the file. Dumpbin and pedump both crash, and OllyDBG complains that the file is not a valid 32-bit executable (though it goes ahead and runs it). On the UNIX side, objd