lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: security at 303underground.com (Scott Taylor)
Subject: new worm - "warm-pussy.jpg".

On Thu, 2003-11-13 at 02:08, Gadi Evron wrote:
> segfault wrote:
> 
> > You idiot.  Just because a file is called warm-pussy.jpg, doesn't mean that
> > the webserver it resides on isn't going to parse it's actual content (which
> > is probably plaintext).  Look again, I'm sure you'll be surprised.
> > 
> 
> HTML _is_ plain-text.
> Just because the server sends it as plain text doesn't mean the browser 
> won't execute it.
> 
> It does.
> 
> This *is* a Trojan horse.
> 
> Do you have anything real to contribute or are you just going to call a 
> guy that raised the alarm of a _possible_ new dangerous Trojan hourse names?

What I'm more curious about is which of the servers that passed on the
message from segfault added this line:

X-Virus-Scanned: Symantec AntiVirus Scan Engine

Because, once the message got handed off to my server, which contains a
functioning virus scanner, the message was identified and quarantined.
Actually, I'm quite glad to have been emailed a virus, since most of my
friends do keep their systems clean, so it's always good to know that
the scanner is even alive (aside from the regular emails where it tells
me it updated itself)

So, for anyone curious as to a name to give to that ".jpg" file:

[This warning message is *not* being sent to the apparent originator
of the original message.  This address appears to be that of a
mailing list or other automated email system.]

The virus was reported to be: 

 JS/Petch.A.dropper


--
Scott Taylor - <security@...underground.com> 

vuja de:
	The feeling that you've *never*, *ever* been in this situation before.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ