Re: [logs] sql-worm and the address generator

From: Devin Kowatch (devinkat_private)
Date: Thu Jan 30 2003 - 11:07:33 PST

  • Next message: Kevin W. Gagel: "Re: [logs] sql-worm and the address generator"

    On Thu, Jan 30, 2003 at 10:33:47AM +0100, Darin.MARAISat_private wrote:
    > dear list,
    > I would like to find out a little more about how the "pseudo random ip
    > address engine" works in this worm. The worm is spread by using a pseudo
    > random IP address, correct.
    > my interest is as follows:
    > If a machine does for some reason become infected with the latest ms-sql
    > attack then will the infected machine's engine have the intelligent to only
    > generate address for the local network or will it try to talk back out to
    > the internet.
    [ ... ]
    No the worm will attempt to talk to the internet.  The addresses it
    generates, as far as I can tell, are in the form z*x + b, where x is the
    return of GetTickCount(), z is some large constant multiple (I stoped
    doing the math at 321*256), and b is a constant made from xor'ing a
    constant against whatever was in that register before the spreading loop
    (it doesn't change in the loop).   It goes without saying that this
    calculation is preformed mod 2^32.
    sorry, I don't have a link for the annotated code off the top of my head.
    Devin Kowatch
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 11:48:29 PST