Re: recent sadmin worm

["Vitaly Osipov" <vosipov () wolfegroup ie>]

it's not _live_ or dead :) it's just an exploit program, and btw you have to
spend some minutes to make it working (it's not that one-click microsoft
malware :))) ) Anyway it's a tool, a piece to be studied. It can only become
"bad" if you give it a list of addresses to deface, if _you_ put it to a
machine where perl and specific modules are, and finally execute it...
As I already said, I do not understand this tendency in antivirus software
scanners... The funniest part is that some messages from those stupid
programs contained stuff like "inappropriate language detected", not
mentioning the descriptions of where they put that file - local paths, mail
servers structure etc :) pretty much of information disclosed this way - I
did not ever think about such a problem.


----- Original Message -----
From: "Riess, Bob" <briess () amerix com>
To: "'Vitaly Osipov'" <vosipov () wolfegroup ie>; <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, May 15, 2001 2:33 PM
Subject: RE: recent sadmin worm


> Vitaly,
> My viruswall killed the attachment to your post, as it should. It's really
> not a good idea to send out live malware, even with the best of
> intentions...
>
> -br
>
>
> -----Original Message-----
> From: Vitaly Osipov [mailto:vosipov () wolfegroup ie]
> Sent: Monday, May 14, 2001 11:59 am
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: recent sadmin worm
>
>
>
> ****** Message from InterScan E-Mail VirusWall NT ******
>
> ** WARNING! Attached file uniattack.zip contains:
>
>      PERL_SADMIND.A virus in compressed file uniattack.pl
>
>    Attempted to clean the file but it is not cleanable.
>    It has been deleted.
>
> *****************     End of message     ***************