Security Incidents mailing list archives

Re: Possible Trojan/Virus: while.com.

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Mon, 26 Nov 2001 10:07:31 -0800 (PST)

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 26 Nov 2001, John Sage wrote:

Just to take one word ("Attune") out of the excerpt, and do a google 
search on it, I found:

<snip>

So, at least "Attune" seems to be one of these wonderful new "helpers" 
that run in the background on Window$ boxes, and "help" users...


        Heh.  I totally blew off the verbiage in the body after a cursory
look brought up prohibitions on reverse-engineering.  Just put my mind
straight into safe mode.  (Next up: the Dyson Logic DoS...mention anything
that remotely sounds like DMCA restrictions and *boom*.)  ;)

        Thanks for the follow-up.  From what I'm hearing from other folks,
it appears that the content of the message body is pseudorandomly culled
from the contents of the victim's drive; probably from most-recently
accessed documents (probably \windows\temp or \netscape\cache).

        I understand this beastie matches a couple of different viral
signatures, though the jury seems to be out on which one it most closely
matches.  Time will tell, I suppose.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPAJ21rlDRyqRQ2a9AQGfXwP+OMQTwbgjcALqUaXusOCgnWiFDezMMqWK
4mqQ4zdFzUWb1dCBVwaTg9yL3HKqDJSMzOf+fAkHFp66vONNret3TTqCJPW/ON7k
DqaNcgycSb1qjaQ3s/CT6JwAGYSMj4Empl+hdVM+NjhuqnsmH7Mb2Xnk353G4DIy
boDQ1k93M4M=
=8Cv2
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Possible Trojan/Virus: while.com. Jay D. Dyson (Nov 26)
- Re: Possible Trojan/Virus: while.com. joshb (Nov 26)
  - RE: Possible Trojan/Virus: while.com. Fernando Cardoso (Nov 26)
- Re: Possible Trojan/Virus: while.com. John Sage (Nov 26)
  - Re: Possible Trojan/Virus: while.com. Jay D. Dyson (Nov 26)