lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <00c301c62136$346a7360$1214dd80@corp.emc.com>
Date: Tue, 24 Jan 2006 17:33:28 -0500
From: "Exibar" <exibar@...lair.com>
To: <mjcarter@...g.co.nz>, "Dude VanWinkle" <dudevanwinkle@...il.com>,
	"Gadi Evron" <ge@...uxbox.org>
Cc: funsec@...uxbox.org, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: Re: Urgent Alert: Possible BlackWorm DDay
	February3rd (Snort signatures included)


the payload gets executed at the time that it schedule's itself to launch,
yes.  59 minutes after the hour.

 two payloads if you think about it:
   first payload creates the AT job to launch secondary harmful payload

Exibar


----- Original Message ----- 
From: <mjcarter@...g.co.nz>
To: "Exibar" <exibar@...lair.com>; "Dude VanWinkle"
<dudevanwinkle@...il.com>; "Gadi Evron" <ge@...uxbox.org>
Cc: <funsec@...uxbox.org>; <full-disclosure@...ts.grok.org.uk>;
<bugtraq@...urityfocus.com>
Sent: Tuesday, January 24, 2006 5:27 PM
Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay
February3rd (Snort signatures included)


> Does the payload get executed once it has been copied to the
> network share?
>
> Mike
>
> > this one also spreads via network shares, then creates an
> > AT job that will run itself on the 59th minute of every
> > hour to further propigate.
> >
> >   very worm like if you ask me.
> >
> >   exibar
> >
> >
> > ----- Original Message -----
> > From: "Dude VanWinkle" <dudevanwinkle@...il.com>
> > To: "Gadi Evron" <ge@...uxbox.org>
> > Cc: <funsec@...uxbox.org>;
> > <full-disclosure@...ts.grok.org.uk>;
> > <bugtraq@...urityfocus.com> Sent: Tuesday, January 24,
> > 2006 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert:
> > Possible BlackWorm DDay February3rd (Snort signatures
> > included)
> >
> >
> > On 1/24/06, Gadi Evron <ge@...uxbox.org> wrote:
> >
> > > now known as the TISF BlackWorm task force.
> >
> > Why do you call a .scr you have to manually install a
> > "worm"? Why not "BlackVirus"
> >
> > the worm moniker is very misleading (actually got me
> > worried for a sec). The "email worm" is also misleading,
> > because it only propagates through port 25, but that is
> > not the point of entry. The point of entry is the user
> > running a visual basic script _willingly_.
> >
> > Just so I know, what would you guys classify a real worm
> > (blaster, slammer, nimda, etc) as? Or would you just call
> > it an "internet worm" instead of an "email worm" and leave
> > it at that?
> >
> > thanks for the mis-info,
> >
> > -JP
> > "still love ja tho"
> > -JP
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ