Security Incidents mailing list archives
Re: recent sadmin worm
From: "Vitaly Osipov" <vosipov () wolfegroup ie>
Date: Tue, 15 May 2001 09:22:08 +0100
phew, I got about 200 replies from antivirus programs about "virus contained in a message". I wonder what's the use of marking this _perl_ script as a virus - it is an exploit program, no more, no less... Looks like it's a rather non-creative attempt by virus-scanner makers to stop some popular exploits (or to have a reason to say that their signature base is very big :) ) regards, Vitaly. ----- Original Message ----- From: "Vitaly Osipov" <vosipov () wolfegroup ie> To: <INCIDENTS () securityfocus com> Sent: Monday, May 14, 2001 4:58 PM Subject: recent sadmin worm
Hi all, I've got a copy of this (popular :) ) Solaris-Microsoft worm... and I am really surprised by it's IIS exploit - it's just an old unicode thing... people should thank heavens that the anonymous writer did not add a newIIS5.0 web printer bug :) by default the worm itself sits in /dev/cuc - check it if you have aSolarisbox :) if somebody is interested in developing signatures/whatever, I attach
here
worm's iis defacement script. The worm itself, btw, is rather small (20
kb
in zip if you exclude things like wget, gzip and nc - it carries them as well, so "full version" is ~700kb) regards, Vitaly.
Current thread:
- recent sadmin worm Vitaly Osipov (May 14)
- Re: recent sadmin worm Vitaly Osipov (May 15)
- Re: recent sadmin worm Ryan Russell (May 15)
- Re: recent sadmin worm Devdas Bhagat (May 15)
- Re: recent sadmin worm Nick FitzGerald (May 16)
- Re: recent sadmin worm Ryan Russell (May 15)
- <Possible follow-ups>
- Re: recent sadmin worm Vitaly Osipov (May 15)
- Re: recent sadmin worm Robert Kinsey - VIS Contractor (May 15)
- Re: recent sadmin worm Vitaly Osipov (May 15)