[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68

To: Full-disclosure <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
From: devis <devis@xxxxxxxxxxx>
Date: Sun, 24 Oct 2004 16:26:25 +0200

Well its the good old trick <string>.<good known extension>[ insert numerous spaces here ].<nasty executable extension>

This relies on MS IExplore or Outlook to not show more than X characters of the file name, but as your screen shots show, its detected as a Screen saver meanijng it has a .scr extension which happens to be executable as well.

$ file details/details.txt\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ .scr MS-DOS executable (EXE), OS/2 or MS Windows

Does that tricks Hotmail / Mc Afee every time ?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
  - From: Farrukh Hussain
- Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
  - From: Paul Schmehl

Prev by Date: Re: [Full-Disclosure] Q: Linux Command Line Encryption
Next by Date: [Full-Disclosure] [ GLSA 200410-22 ] MySQL: Multiple vulnerabilities
Previous by thread: Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
Next by thread: Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
Index(es):
- Date
- Thread