This is the annotated code link:
http://www.eeye.com/html/Research/Flash/sapphire.txt
Rainer
> -----Original Message-----
> From: Devin Kowatch [mailto:devinkat_private]
> Sent: Thursday, January 30, 2003 8:08 PM
> To: Darin.MARAISat_private
> Cc: loganalysisat_private
> Subject: Re: [logs] sql-worm and the address generator
>
>
> On Thu, Jan 30, 2003 at 10:33:47AM +0100,
> Darin.MARAISat_private wrote:
> > dear list,
> >
> > I would like to find out a little more about how the
> "pseudo random ip
> > address engine" works in this worm. The worm is spread by using a
> > pseudo random IP address, correct.
> >
> > my interest is as follows:
> >
> > If a machine does for some reason become infected with the latest
> > ms-sql attack then will the infected machine's engine have the
> > intelligent to only generate address for the local network
> or will it
> > try to talk back out to the internet.
> [ ... ]
> No the worm will attempt to talk to the internet. The
> addresses it generates, as far as I can tell, are in the form
> z*x + b, where x is the return of GetTickCount(), z is some
> large constant multiple (I stoped doing the math at 321*256),
> and b is a constant made from xor'ing a constant against
> whatever was in that register before the spreading loop
> (it doesn't change in the loop). It goes without saying that this
> calculation is preformed mod 2^32.
>
> sorry, I don't have a link for the annotated code off the top
> of my head.
>
>
> --
> Devin Kowatch
> devinkat_private
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/logana> lysis
>
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 14:15:36 PST