Does the payload get executed once it has been copied to the network share?
Mike > this one also spreads via network shares, then creates an > AT job that will run itself on the 59th minute of every > hour to further propigate. > > very worm like if you ask me. > > exibar > > > ----- Original Message ----- > From: "Dude VanWinkle" <[EMAIL PROTECTED]> > To: "Gadi Evron" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; > <[email protected]>; > <[email protected]> Sent: Tuesday, January 24, > 2006 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: > Possible BlackWorm DDay February3rd (Snort signatures > included) > > > On 1/24/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > > > now known as the TISF BlackWorm task force. > > Why do you call a .scr you have to manually install a > "worm"? Why not "BlackVirus" > > the worm moniker is very misleading (actually got me > worried for a sec). The "email worm" is also misleading, > because it only propagates through port 25, but that is > not the point of entry. The point of entry is the user > running a visual basic script _willingly_. > > Just so I know, what would you guys classify a real worm > (blaster, slammer, nimda, etc) as? Or would you just call > it an "internet worm" instead of an "email worm" and leave > it at that? > > thanks for the mis-info, > > -JP > "still love ja tho" > -JP > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
