>care to share? Dude I'll e-mail you a very temporary link to the executable, off the list. Just share it further using your own bandwidth instead of mine please. I've done likewise with a few other people who requested a sample, but don't have time to respond to each request individually.
If you want to post it on your own box and share it with the full "full disclosure" list, that's up to you. I see Symantec came up with an advisory 10-11 hours after they got a sample, yet still got a couple things wrong. My 411 wasn't completely comprehensive either, but I'm not getting paid to analyze malware for the masses and don't have a dedicated lab, l33t expensive tools, and a paycheck dedicated to such things. On all the infections I've seen (I work for a large international organization, so malware presence is a given...due to technical constraints I'll not delve into at the moment) there were no e-mail impacts. Also I didn't see the Was*.tmp DLL they mention on most boxes. Also they don't mention that "multiple" reg keys may be added to the Run folder. Lastly they don't point out that "worm" propagation based on the PnP vulnerability only occurs on the Win2K boxes. Win2K3 and WinXP require some user/machine action to exploit the vulnerability, and the malware can't infect those boxes independently. I don't think I mentioned that either, but figure most on this list know such things. AV vendors shouldn't make such assumptions though. The behavior varied from workstation to server. On one server the malware was constantly creating 1.7GB executable files and eating up 100% of the CPU. That box was a very unique animal though and I doubt most would see that on your average server. Peace, Vic _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
