Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included)

From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Tue, 24 Jan 2006 23:49:03 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
and if the worm doesnt use any vulnerability, how come it has been so
widely spreaded ?

Exibar wrote:

the payload gets executed at the time that it schedule's itself to
launch, yes.  59 minutes after the hour.

two payloads if you think about it: first payload creates the AT
job to launch secondary harmful payload

Exibar


----- Original Message ----- From: <mjcarter () ihug co nz> To:
"Exibar" <exibar () thelair com>; "Dude VanWinkle"
<dudevanwinkle () gmail com>; "Gadi Evron" <ge () linuxbox org> Cc:
<funsec () linuxbox org>; <full-disclosure () lists grok org uk>;
<bugtraq () securityfocus com> Sent: Tuesday, January 24, 2006 5:27 PM
 Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm
DDay February3rd (Snort signatures included)



Does the payload get executed once it has been copied to the
network share?

Mike


this one also spreads via network shares, then creates an AT
job that will run itself on the 59th minute of every hour to
further propigate.

very worm like if you ask me.

exibar


----- Original Message ----- From: "Dude VanWinkle"
<dudevanwinkle () gmail com> To: "Gadi Evron" <ge () linuxbox org>
Cc: <funsec () linuxbox org>; <full-disclosure () lists grok org uk>;
 <bugtraq () securityfocus com> Sent: Tuesday, January 24, 2006
1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible
BlackWorm DDay February3rd (Snort signatures included)


On 1/24/06, Gadi Evron <ge () linuxbox org> wrote:


now known as the TISF BlackWorm task force.

Why do you call a .scr you have to manually install a "worm"?
Why not "BlackVirus"

the worm moniker is very misleading (actually got me worried
for a sec). The "email worm" is also misleading, because it
only propagates through port 25, but that is not the point of
entry. The point of entry is the user running a visual basic
script _willingly_.

Just so I know, what would you guys classify a real worm
(blaster, slammer, nimda, etc) as? Or would you just call it an
"internet worm" instead of an "email worm" and leave it at
that?

thanks for the mis-info,

-JP "still love ja tho" -JP
_______________________________________________ Full-Disclosure
- We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted
and sponsored by Secunia - http://secunia.com/


_______________________________________________ Full-Disclosure
- We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted
and sponsored by Secunia - http://secunia.com/





_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ9au3q+LRXunxpxfAQIIuxAA5pzvjP4Kox7i20tHG7a07O1z4y8boTrw
ugxHLnfwkBY6K/EIGmQkKr0fETml1gzhBhQOF+NqVqMNRPL1c9yo2EOYcZYu1TTr
mqieASW2+CHnaYyBPlHnXWS1GzJpthRkZbHqszCqCl5fXuiQVLFpf/AcFWRTWQg9
IMuc1eIMtZmqYFxeTmcFVgkICoBlJdcgNa6IbxdfiWZM/VaWjUZyJPjOPR4ky8Tr
CiARGRHHPS89ooNK2R8y1enQH1Avuji0TVhayeYs89Xb3hh6uUQIAtkiMRtGxA+x
5XWq5jqGbUTBOYQl7L43hp78UIfpQ9kwXtb49w+MMqoywhxn69KnnprK2R/rSFJa
mJHuQDqoiasj/V/LWxNyrgH7pINQ63k7GVRFktbniL8KXc0eeDUCYEds2UvZNEhT
D9B834VaQtn7iex/GiphSZmLmC2YTCDEGqZcRBOxZJxxyBZKD2Z9Awjl3571MveV
tkrVqYodlazuyfgbI+h8eRJcRp3YJouNFM3e2uPYT4pAkoxgQP5YJsdfqu5hRuXX
CgXGO737Ffb+DfDt4H7J/KNXmqp+BDGDYhBsqxh3laEs3fOGeq07GByyG6f2ty0b
vj8TOnDbr1T5jMVPIl+spStLAKIp6AXLOFYkl7maD53AP7QzOHd/KzcTARjA7XK6
Mt72tMNe9YI=
=OdGJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: