Re: new worm - "warm-pussy.jpg".

[Scott Taylor <security () 303underground com>]

On Thu, 2003-11-13 at 02:08, Gadi Evron wrote:
> segfault wrote:
>
> > You idiot.  Just because a file is called warm-pussy.jpg, doesn't mean that
> > the webserver it resides on isn't going to parse it's actual content (which
> > is probably plaintext).  Look again, I'm sure you'll be surprised.
>
> HTML _is_ plain-text.
> Just because the server sends it as plain text doesn't mean the browser 
> won't execute it.
>
> It does.
>
> This *is* a Trojan horse.
>
> Do you have anything real to contribute or are you just going to call a 
> guy that raised the alarm of a _possible_ new dangerous Trojan hourse names?

What I'm more curious about is which of the servers that passed on the
message from segfault added this line:

X-Virus-Scanned: Symantec AntiVirus Scan Engine

Because, once the message got handed off to my server, which contains a
functioning virus scanner, the message was identified and quarantined.
Actually, I'm quite glad to have been emailed a virus, since most of my
friends do keep their systems clean, so it's always good to know that
the scanner is even alive (aside from the regular emails where it tells
me it updated itself)

So, for anyone curious as to a name to give to that ".jpg" file:

[This warning message is *not* being sent to the apparent originator
of the original message.  This address appears to be that of a
mailing list or other automated email system.]

The virus was reported to be: 

 JS/Petch.A.dropper


--
Scott Taylor - <security () 303underground com> 

vuja de:
        The feeling that you've *never*, *ever* been in this situation before.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html