On Thu, Jan 30, 2003 at 10:33:47AM +0100, Darin.MARAISat_private wrote: > dear list, > > I would like to find out a little more about how the "pseudo random ip > address engine" works in this worm. The worm is spread by using a pseudo > random IP address, correct. > > my interest is as follows: > > If a machine does for some reason become infected with the latest ms-sql > attack then will the infected machine's engine have the intelligent to only > generate address for the local network or will it try to talk back out to > the internet. [ ... ] No the worm will attempt to talk to the internet. The addresses it generates, as far as I can tell, are in the form z*x + b, where x is the return of GetTickCount(), z is some large constant multiple (I stoped doing the math at 321*256), and b is a constant made from xor'ing a constant against whatever was in that register before the spreading loop (it doesn't change in the loop). It goes without saying that this calculation is preformed mod 2^32. sorry, I don't have a link for the annotated code off the top of my head. -- Devin Kowatch devinkat_private _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 11:48:29 PST