Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: pnp worm unknown variant - post infection actions

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 17 Aug 2005 12:23:04 +1200
Jason Coombs wrote:


Not that this hasn't already been happening as a result of porn-related 
spyware and adware, but is this the first porn worm?


I've not seen it, so this is based on Morning Wood's description...

It is not a "porn worm".  It is a worm with a download and execute 
payload of a (probably) fixed ("hard-coded") URL.

The code at that URL _CURRENTLY_ is another piece of malware that 
lowers what are laughingly known as IE's security settings then causes 
IE to visit a web site with active content designed to install some 
adware/spyware/whatever (again, not analysed by me).  That install will 
occur silently (I presume) due to the removal of the security settings 
that would otherwise prevent, or at least alert, the user to the 
action.

_THAT_ software (adware/spyware/whatever) may do whatever, but that is 
incidental to the actions of the worm, as the worm can continue 
completely "as is" regardless of what code is at the URL used in the 
intermediate, download and execute, step.

Oh, and it's far from the first "wormy bot" (or similar) to further 
compromise the victim machine by installing adware, spyware, warez 
server, etc, etc.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: