Full Disclosure mailing list archives
Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
From: "Exibar" <exibar () thelair com>
Date: Tue, 24 Jan 2006 17:33:28 -0500
the payload gets executed at the time that it schedule's itself to launch, yes. 59 minutes after the hour. two payloads if you think about it: first payload creates the AT job to launch secondary harmful payload Exibar ----- Original Message ----- From: <mjcarter () ihug co nz> To: "Exibar" <exibar () thelair com>; "Dude VanWinkle" <dudevanwinkle () gmail com>; "Gadi Evron" <ge () linuxbox org> Cc: <funsec () linuxbox org>; <full-disclosure () lists grok org uk>; <bugtraq () securityfocus com> Sent: Tuesday, January 24, 2006 5:27 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)
Does the payload get executed once it has been copied to the network share? Mikethis one also spreads via network shares, then creates an AT job that will run itself on the 59th minute of every hour to further propigate. very worm like if you ask me. exibar ----- Original Message ----- From: "Dude VanWinkle" <dudevanwinkle () gmail com> To: "Gadi Evron" <ge () linuxbox org> Cc: <funsec () linuxbox org>; <full-disclosure () lists grok org uk>; <bugtraq () securityfocus com> Sent: Tuesday, January 24, 2006 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) On 1/24/06, Gadi Evron <ge () linuxbox org> wrote:now known as the TISF BlackWorm task force.Why do you call a .scr you have to manually install a "worm"? Why not "BlackVirus" the worm moniker is very misleading (actually got me worried for a sec). The "email worm" is also misleading, because it only propagates through port 25, but that is not the point of entry. The point of entry is the user running a visual basic script _willingly_. Just so I know, what would you guys classify a real worm (blaster, slammer, nimda, etc) as? Or would you just call it an "internet worm" instead of an "email worm" and leave it at that? thanks for the mis-info, -JP "still love ja tho" -JP _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) mjcarter (Jan 24)
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) Exibar (Jan 24)
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) ad () heapoverflow com (Jan 24)
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) prb (Jan 24)
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) Valdis . Kletnieks (Jan 24)
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) prb (Jan 24)
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) Col (Jan 24)
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) ad () heapoverflow com (Jan 24)
- Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) Exibar (Jan 24)