[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
- To: <mjcarter@xxxxxxxxxx>, "Dude VanWinkle" <dudevanwinkle@xxxxxxxxx>, "Gadi Evron" <ge@xxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
- From: "Exibar" <exibar@xxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 17:33:28 -0500
the payload gets executed at the time that it schedule's itself to launch,
yes. 59 minutes after the hour.
two payloads if you think about it:
first payload creates the AT job to launch secondary harmful payload
Exibar
----- Original Message -----
From: <mjcarter@xxxxxxxxxx>
To: "Exibar" <exibar@xxxxxxxxxxx>; "Dude VanWinkle"
<dudevanwinkle@xxxxxxxxx>; "Gadi Evron" <ge@xxxxxxxxxxxx>
Cc: <funsec@xxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx>;
<bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Tuesday, January 24, 2006 5:27 PM
Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay
February3rd (Snort signatures included)
> Does the payload get executed once it has been copied to the
> network share?
>
> Mike
>
> > this one also spreads via network shares, then creates an
> > AT job that will run itself on the 59th minute of every
> > hour to further propigate.
> >
> > very worm like if you ask me.
> >
> > exibar
> >
> >
> > ----- Original Message -----
> > From: "Dude VanWinkle" <dudevanwinkle@xxxxxxxxx>
> > To: "Gadi Evron" <ge@xxxxxxxxxxxx>
> > Cc: <funsec@xxxxxxxxxxxx>;
> > <full-disclosure@xxxxxxxxxxxxxxxxx>;
> > <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Tuesday, January 24,
> > 2006 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert:
> > Possible BlackWorm DDay February3rd (Snort signatures
> > included)
> >
> >
> > On 1/24/06, Gadi Evron <ge@xxxxxxxxxxxx> wrote:
> >
> > > now known as the TISF BlackWorm task force.
> >
> > Why do you call a .scr you have to manually install a
> > "worm"? Why not "BlackVirus"
> >
> > the worm moniker is very misleading (actually got me
> > worried for a sec). The "email worm" is also misleading,
> > because it only propagates through port 25, but that is
> > not the point of entry. The point of entry is the user
> > running a visual basic script _willingly_.
> >
> > Just so I know, what would you guys classify a real worm
> > (blaster, slammer, nimda, etc) as? Or would you just call
> > it an "internet worm" instead of an "email worm" and leave
> > it at that?
> >
> > thanks for the mis-info,
> >
> > -JP
> > "still love ja tho"
> > -JP
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/