| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Jan 24 22:51:04 2006 From: ad at heapoverflow.com (ad@...poverflow.com) Subject: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 and if the worm doesnt use any vulnerability, how come it has been so widely spreaded ? Exibar wrote: > the payload gets executed at the time that it schedule's itself to > launch, yes. 59 minutes after the hour. > > two payloads if you think about it: first payload creates the AT > job to launch secondary harmful payload > > Exibar > > > ----- Original Message ----- From: <mjcarter@...g.co.nz> To: > "Exibar" <exibar@...lair.com>; "Dude VanWinkle" > <dudevanwinkle@...il.com>; "Gadi Evron" <ge@...uxbox.org> Cc: > <funsec@...uxbox.org>; <full-disclosure@...ts.grok.org.uk>; > <bugtraq@...urityfocus.com> Sent: Tuesday, January 24, 2006 5:27 PM > Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm > DDay February3rd (Snort signatures included) > > >> Does the payload get executed once it has been copied to the >> network share? >> >> Mike >> >>> this one also spreads via network shares, then creates an AT >>> job that will run itself on the 59th minute of every hour to >>> further propigate. >>> >>> very worm like if you ask me. >>> >>> exibar >>> >>> >>> ----- Original Message ----- From: "Dude VanWinkle" >>> <dudevanwinkle@...il.com> To: "Gadi Evron" <ge@...uxbox.org> >>> Cc: <funsec@...uxbox.org>; <full-disclosure@...ts.grok.org.uk>; >>> <bugtraq@...urityfocus.com> Sent: Tuesday, January 24, 2006 >>> 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible >>> BlackWorm DDay February3rd (Snort signatures included) >>> >>> >>> On 1/24/06, Gadi Evron <ge@...uxbox.org> wrote: >>> >>>> now known as the TISF BlackWorm task force. >>> Why do you call a .scr you have to manually install a "worm"? >>> Why not "BlackVirus" >>> >>> the worm moniker is very misleading (actually got me worried >>> for a sec). The "email worm" is also misleading, because it >>> only propagates through port 25, but that is not the point of >>> entry. The point of entry is the user running a visual basic >>> script _willingly_. >>> >>> Just so I know, what would you guys classify a real worm >>> (blaster, slammer, nimda, etc) as? Or would you just call it an >>> "internet worm" instead of an "email worm" and leave it at >>> that? >>> >>> thanks for the mis-info, >>> >>> -JP "still love ja tho" -JP >>> _______________________________________________ Full-Disclosure >>> - We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted >>> and sponsored by Secunia - http://secunia.com/ >>> >>> >>> _______________________________________________ Full-Disclosure >>> - We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted >>> and sponsored by Secunia - http://secunia.com/ >>> >> > > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ9au3q+LRXunxpxfAQIIuxAA5pzvjP4Kox7i20tHG7a07O1z4y8boTrw ugxHLnfwkBY6K/EIGmQkKr0fETml1gzhBhQOF+NqVqMNRPL1c9yo2EOYcZYu1TTr mqieASW2+CHnaYyBPlHnXWS1GzJpthRkZbHqszCqCl5fXuiQVLFpf/AcFWRTWQg9 IMuc1eIMtZmqYFxeTmcFVgkICoBlJdcgNa6IbxdfiWZM/VaWjUZyJPjOPR4ky8Tr CiARGRHHPS89ooNK2R8y1enQH1Avuji0TVhayeYs89Xb3hh6uUQIAtkiMRtGxA+x 5XWq5jqGbUTBOYQl7L43hp78UIfpQ9kwXtb49w+MMqoywhxn69KnnprK2R/rSFJa mJHuQDqoiasj/V/LWxNyrgH7pINQ63k7GVRFktbniL8KXc0eeDUCYEds2UvZNEhT D9B834VaQtn7iex/GiphSZmLmC2YTCDEGqZcRBOxZJxxyBZKD2Z9Awjl3571MveV tkrVqYodlazuyfgbI+h8eRJcRp3YJouNFM3e2uPYT4pAkoxgQP5YJsdfqu5hRuXX CgXGO737Ffb+DfDt4H7J/KNXmqp+BDGDYhBsqxh3laEs3fOGeq07GByyG6f2ty0b vj8TOnDbr1T5jMVPIl+spStLAKIp6AXLOFYkl7maD53AP7QzOHd/KzcTARjA7XK6 Mt72tMNe9YI= =OdGJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists