Vulnerability Development mailing list archives
Re: Win32.Sircam.Worm Alert.....
From: Nicolas Gregoire <nicolas.gregoire () 7thzone com>
Date: Wed, 25 Jul 2001 19:22:10 +0200
"Eric D. Williams" wrote :
I suspect this worm alters extensions as well, I am sure (and hope) someone will post a dissection of this worm to the list after they receive a full copy.
No dissecation , sorry :)
Just a few notes :
- the extensions I have seen are .pif, .bat, .com, .exe, .lnk
- the worm wraps a document from the MyDocuments folder in a file
containing the executable virus and send it to emails adresses found in
*.wab (windows adresses books) and Temporary Internet Files
- title of the mail = filename without extensions
- how to detect/reject it the mail server (Postfix only ):
/^Content-Disposition: Multipart message/i REJECT
- how to extract the "stolen" file :
dd if=file.xls.bat bs=512 skip=268 of=file.xls
Nicob
Current thread:
- RE: Win32.Sircam.Worm Alert..... Johnson, Greg (Jul 24)
- RE: Win32.Sircam.Worm Alert..... Tom Geldner (Jul 24)
- RE: Win32.Sircam.Worm Alert..... Jeremy Rodriguez (Jul 25)
- Re: Win32.Sircam.Worm Alert..... Nicolas Gregoire (Jul 25)
- Re:Sircam Kimberly Anne McKinnis (Jul 26)
- RE: Sircam Dom De Vitto (Jul 26)
- <Possible follow-ups>
- Re: Win32.Sircam.Worm Alert..... Kimberly Anne McKinnis (Jul 24)
- Re: Win32.Sircam.Worm Alert - Report from Argentina Mariano Vassallo (Jul 25)
- RE: Win32.Sircam.Worm Alert..... Arturo "Buanzo" Busleiman (Jul 25)
- RE: Win32.Sircam.Worm Alert..... Eric D. Williams (Jul 25)
- Re: Win32.Sircam.Worm Alert..... Nicolas Gregoire (Jul 25)
- Re: Win32.Sircam.Worm Alert..... Bruno Lustosa (Jul 25)
- RE: Win32.Sircam.Worm Alert..... Obert, Jack E. (Jul 25)
- Re: Win32.Sircam.Worm Alert..... Peter Gutmann (Jul 25)
- RE: Win32.Sircam.Worm Alert..... Kyle Plate (Jul 26)
- RE: Win32.Sircam.Worm Alert..... Chris Freels (Jul 26)
- Re: Win32.Sircam.Worm Alert..... DNT (Jul 27)
- RE: Win32.Sircam.Worm Alert..... Tom Geldner (Jul 24)