-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 and if the worm doesnt use any vulnerability, how come it has been so widely spreaded ?
Exibar wrote: > the payload gets executed at the time that it schedule's itself to > launch, yes. 59 minutes after the hour. > > two payloads if you think about it: first payload creates the AT > job to launch secondary harmful payload > > Exibar > > > ----- Original Message ----- From: <[EMAIL PROTECTED]> To: > "Exibar" <[EMAIL PROTECTED]>; "Dude VanWinkle" > <[EMAIL PROTECTED]>; "Gadi Evron" <[EMAIL PROTECTED]> Cc: > <[EMAIL PROTECTED]>; <[email protected]>; > <[email protected]> Sent: Tuesday, January 24, 2006 5:27 PM > Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm > DDay February3rd (Snort signatures included) > > >> Does the payload get executed once it has been copied to the >> network share? >> >> Mike >> >>> this one also spreads via network shares, then creates an AT >>> job that will run itself on the 59th minute of every hour to >>> further propigate. >>> >>> very worm like if you ask me. >>> >>> exibar >>> >>> >>> ----- Original Message ----- From: "Dude VanWinkle" >>> <[EMAIL PROTECTED]> To: "Gadi Evron" <[EMAIL PROTECTED]> >>> Cc: <[EMAIL PROTECTED]>; <[email protected]>; >>> <[email protected]> Sent: Tuesday, January 24, 2006 >>> 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible >>> BlackWorm DDay February3rd (Snort signatures included) >>> >>> >>> On 1/24/06, Gadi Evron <[EMAIL PROTECTED]> wrote: >>> >>>> now known as the TISF BlackWorm task force. >>> Why do you call a .scr you have to manually install a "worm"? >>> Why not "BlackVirus" >>> >>> the worm moniker is very misleading (actually got me worried >>> for a sec). The "email worm" is also misleading, because it >>> only propagates through port 25, but that is not the point of >>> entry. The point of entry is the user running a visual basic >>> script _willingly_. >>> >>> Just so I know, what would you guys classify a real worm >>> (blaster, slammer, nimda, etc) as? Or would you just call it an >>> "internet worm" instead of an "email worm" and leave it at >>> that? >>> >>> thanks for the mis-info, >>> >>> -JP "still love ja tho" -JP >>> _______________________________________________ Full-Disclosure >>> - We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted >>> and sponsored by Secunia - http://secunia.com/ >>> >>> >>> _______________________________________________ Full-Disclosure >>> - We believe in it. Charter: >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted >>> and sponsored by Secunia - http://secunia.com/ >>> >> > > _______________________________________________ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ9au3q+LRXunxpxfAQIIuxAA5pzvjP4Kox7i20tHG7a07O1z4y8boTrw ugxHLnfwkBY6K/EIGmQkKr0fETml1gzhBhQOF+NqVqMNRPL1c9yo2EOYcZYu1TTr mqieASW2+CHnaYyBPlHnXWS1GzJpthRkZbHqszCqCl5fXuiQVLFpf/AcFWRTWQg9 IMuc1eIMtZmqYFxeTmcFVgkICoBlJdcgNa6IbxdfiWZM/VaWjUZyJPjOPR4ky8Tr CiARGRHHPS89ooNK2R8y1enQH1Avuji0TVhayeYs89Xb3hh6uUQIAtkiMRtGxA+x 5XWq5jqGbUTBOYQl7L43hp78UIfpQ9kwXtb49w+MMqoywhxn69KnnprK2R/rSFJa mJHuQDqoiasj/V/LWxNyrgH7pINQ63k7GVRFktbniL8KXc0eeDUCYEds2UvZNEhT D9B834VaQtn7iex/GiphSZmLmC2YTCDEGqZcRBOxZJxxyBZKD2Z9Awjl3571MveV tkrVqYodlazuyfgbI+h8eRJcRp3YJouNFM3e2uPYT4pAkoxgQP5YJsdfqu5hRuXX CgXGO737Ffb+DfDt4H7J/KNXmqp+BDGDYhBsqxh3laEs3fOGeq07GByyG6f2ty0b vj8TOnDbr1T5jMVPIl+spStLAKIp6AXLOFYkl7maD53AP7QzOHd/KzcTARjA7XK6 Mt72tMNe9YI= =OdGJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
