Full Disclosure mailing list archives

Re: new worm - "warm-pussy.jpg".

From: "I.R. van Dongen" <vdongen () hetisw nl>
Date: Thu, 13 Nov 2003 09:00:13 +0100

On Wed, Nov 12, 2003 at 02:36:41PM -0500, segfault wrote:

You idiot.  Just because a file is called warm-pussy.jpg, doesn't mean that
the webserver it resides on isn't going to parse it's actual content (which
is probably plaintext).  Look again, I'm sure you'll be surprised.

Contents of warm-pussy.jpg:

<snip>

I edited the source to make it harmless (putty from official website
instead of virus) and fixed the dependency on existence of c:\windows.

For those who want to see how it works:
http://lamorak.hetisw.nl/concept.jpg

I tested on 3 volunteers and 1 reported a virusscanner (can't remember
which one) reporting VBS/Psyme.

Either test on a fast line, or allow enough time for putty to download.

Greetings,

Ivo van Dongen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

new worm - "warm-pussy.jpg". Tom Russell (Nov 12)
- Re: new worm - "warm-pussy.jpg". segfault (Nov 12)
  - Re: new worm - "warm-pussy.jpg". Blue Boar (Nov 12)
    - Re: new worm - "warm-pussy.jpg". segfault (Nov 12)
  - Re: new worm - "warm-pussy.jpg". Gadi Evron (Nov 12)
    - Re: new worm - "warm-pussy.jpg". Scott Taylor (Nov 12)
    - Re: new worm - "warm-pussy.jpg". Valdis . Kletnieks (Nov 12)
    - Re: new worm - "warm-pussy.jpg". Evidence (Nov 13)
  - Re: new worm - "warm-pussy.jpg". I.R. van Dongen (Nov 13)
- <Possible follow-ups>
- Re: new worm - "warm-pussy.jpg". Feher Tamas (Nov 13)