| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43032C28.15834.AFA29789@localhost>
Date: Wed Aug 17 01:23:14 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Re: pnp worm unknown variant - post infection
actions
Jason Coombs wrote:
> Not that this hasn't already been happening as a result of porn-related
> spyware and adware, but is this the first porn worm?
I've not seen it, so this is based on Morning Wood's description...
It is not a "porn worm". It is a worm with a download and execute
payload of a (probably) fixed ("hard-coded") URL.
The code at that URL _CURRENTLY_ is another piece of malware that
lowers what are laughingly known as IE's security settings then causes
IE to visit a web site with active content designed to install some
adware/spyware/whatever (again, not analysed by me). That install will
occur silently (I presume) due to the removal of the security settings
that would otherwise prevent, or at least alert, the user to the
action.
_THAT_ software (adware/spyware/whatever) may do whatever, but that is
incidental to the actions of the worm, as the worm can continue
completely "as is" regardless of what code is at the URL used in the
intermediate, download and execute, step.
Oh, and it's far from the first "wormy bot" (or similar) to further
compromise the victim machine by installing adware, spyware, warez
server, etc, etc.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
Powered by blists - more mailing lists