Does this site look plain?

This site uses advanced css techniques

[Reverse Engineering Malware logo]

This is the area for research on the "Iraq Oil" worm being directed by myNetWatchman, and it's where I'm parking the things I find. Collaborators are Lawrence Baldwin, Philip Sloss, and Steve Friedl me.

We believe that Lawrence's advisory was the first public announcement of the details of this worm, and it shows the benefits of distributed intelligence-gathering such as provided by myNetWatchman.

More detailed analysis of the packet behavior and distribution of this worm can be found in the my NetWatchman Research Alert, and it was first released publicly in the DSL Reports Security Forum.

There are a few "holes" in the C++ code when I simply ran out of available time to reverse engineer this worm. It's unlikely that I'll pick up on it much beyond what's here now. This page first went up Sunday night, 15 Dec 2002

An important note on the pseudocode in iraqworm.cpp: only the standard library functions have standard names, the rest are all made up by S. Friedl. And the code is not designed to compile or *exactly* match the actual code - it's meant to mainly convey the purpose without getting bogged down in details. We're using C++ just for some of the "better C" features.

I'll release my IDA Pro .idb file of the binary once I get my work mostly finished.


Rough program flow

The details can be found in the disassembly, but this is the broad flow of the program:

Other resources


[Hacked with IDA Pro]