[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)

To: Exibar <exibar@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
From: "ad@xxxxxxxxxxxxxxxx" <ad@xxxxxxxxxxxxxxxx>
Date: Tue, 24 Jan 2006 23:49:03 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
and if the worm doesnt use any vulnerability, how come it has been so
widely spreaded ?

Exibar wrote:
> the payload gets executed at the time that it schedule's itself to
> launch, yes.  59 minutes after the hour.
>
> two payloads if you think about it: first payload creates the AT
> job to launch secondary harmful payload
>
> Exibar
>
>
> ----- Original Message ----- From: <mjcarter@xxxxxxxxxx> To:
> "Exibar" <exibar@xxxxxxxxxxx>; "Dude VanWinkle"
> <dudevanwinkle@xxxxxxxxx>; "Gadi Evron" <ge@xxxxxxxxxxxx> Cc:
> <funsec@xxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx>;
> <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Tuesday, January 24, 2006 5:27 PM
>  Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm
> DDay February3rd (Snort signatures included)
>
>
>> Does the payload get executed once it has been copied to the
>> network share?
>>
>> Mike
>>
>>> this one also spreads via network shares, then creates an AT
>>> job that will run itself on the 59th minute of every hour to
>>> further propigate.
>>>
>>> very worm like if you ask me.
>>>
>>> exibar
>>>
>>>
>>> ----- Original Message ----- From: "Dude VanWinkle"
>>> <dudevanwinkle@xxxxxxxxx> To: "Gadi Evron" <ge@xxxxxxxxxxxx>
>>> Cc: <funsec@xxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx>;
>>>  <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Tuesday, January 24, 2006
>>> 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible
>>> BlackWorm DDay February3rd (Snort signatures included)
>>>
>>>
>>> On 1/24/06, Gadi Evron <ge@xxxxxxxxxxxx> wrote:
>>>
>>>> now known as the TISF BlackWorm task force.
>>> Why do you call a .scr you have to manually install a "worm"?
>>> Why not "BlackVirus"
>>>
>>> the worm moniker is very misleading (actually got me worried
>>> for a sec). The "email worm" is also misleading, because it
>>> only propagates through port 25, but that is not the point of
>>> entry. The point of entry is the user running a visual basic
>>> script _willingly_.
>>>
>>> Just so I know, what would you guys classify a real worm
>>> (blaster, slammer, nimda, etc) as? Or would you just call it an
>>> "internet worm" instead of an "email worm" and leave it at
>>> that?
>>>
>>> thanks for the mis-info,
>>>
>>> -JP "still love ja tho" -JP
>>> _______________________________________________ Full-Disclosure
>>> - We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted
>>> and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>> _______________________________________________ Full-Disclosure
>>> - We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted
>>> and sponsored by Secunia - http://secunia.com/
>>>
>>
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ9au3q+LRXunxpxfAQIIuxAA5pzvjP4Kox7i20tHG7a07O1z4y8boTrw
ugxHLnfwkBY6K/EIGmQkKr0fETml1gzhBhQOF+NqVqMNRPL1c9yo2EOYcZYu1TTr
mqieASW2+CHnaYyBPlHnXWS1GzJpthRkZbHqszCqCl5fXuiQVLFpf/AcFWRTWQg9
IMuc1eIMtZmqYFxeTmcFVgkICoBlJdcgNa6IbxdfiWZM/VaWjUZyJPjOPR4ky8Tr
CiARGRHHPS89ooNK2R8y1enQH1Avuji0TVhayeYs89Xb3hh6uUQIAtkiMRtGxA+x
5XWq5jqGbUTBOYQl7L43hp78UIfpQ9kwXtb49w+MMqoywhxn69KnnprK2R/rSFJa
mJHuQDqoiasj/V/LWxNyrgH7pINQ63k7GVRFktbniL8KXc0eeDUCYEds2UvZNEhT
D9B834VaQtn7iex/GiphSZmLmC2YTCDEGqZcRBOxZJxxyBZKD2Z9Awjl3571MveV
tkrVqYodlazuyfgbI+h8eRJcRp3YJouNFM3e2uPYT4pAkoxgQP5YJsdfqu5hRuXX
CgXGO737Ffb+DfDt4H7J/KNXmqp+BDGDYhBsqxh3laEs3fOGeq07GByyG6f2ty0b
vj8TOnDbr1T5jMVPIl+spStLAKIp6AXLOFYkl7maD53AP7QzOHd/KzcTARjA7XK6
Mt72tMNe9YI=
=OdGJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
  - From: prb
- Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
  - From: Valdis . Kletnieks

References:
- Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
  - From: mjcarter
- Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
  - From: Exibar

Prev by Date: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
Next by Date: [Full-disclosure] [FLSA-2006:152845] Updated perl packages fix security issues
Previous by thread: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
Next by thread: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
Index(es):
- Date
- Thread