I've had someone request that I post to the list how I'm determining that I'm seeing CRv2, and not some other variant. First off, I'm just grabbing copies with netcat: nc -l -p 80 > gotcha Everytime BlackICE Defender goes off with the "Suspicious URL", I ctrl-C the Netcat, rename gotcha to gotcha#, and then restart the netcat program above. Then, I do a fc: C:\codered>fc /b gotcha6 gotcha7 Comparing files gotcha6 and gotcha7 00000CDC: 3B 4B 00000CDD: E0 00 00000CDE: 41 42 00000CE0: 00 56 00000CE1: 01 34 00000CE2: 00 12 00000CE3: 00 B8 00000D04: 9A FA 00000D05: 18 41 00000D06: 47 B0 CD4-CEC is marked as "Padding Bytes", and D02-D07 is marked as "self modifiying code". See eEye disassembly of CRv1. As long as the version you get doesn't vary outside of those byte ranges, it should be CRv2. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 12:17:35 PDT