the payload gets executed at the time that it schedule's itself to launch, yes. 59 minutes after the hour.
two payloads if you think about it: first payload creates the AT job to launch secondary harmful payload Exibar ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "Exibar" <[EMAIL PROTECTED]>; "Dude VanWinkle" <[EMAIL PROTECTED]>; "Gadi Evron" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[email protected]>; <[email protected]> Sent: Tuesday, January 24, 2006 5:27 PM Subject: Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February3rd (Snort signatures included) > Does the payload get executed once it has been copied to the > network share? > > Mike > > > this one also spreads via network shares, then creates an > > AT job that will run itself on the 59th minute of every > > hour to further propigate. > > > > very worm like if you ask me. > > > > exibar > > > > > > ----- Original Message ----- > > From: "Dude VanWinkle" <[EMAIL PROTECTED]> > > To: "Gadi Evron" <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]>; > > <[email protected]>; > > <[email protected]> Sent: Tuesday, January 24, > > 2006 1:52 PM Subject: Re: [Full-disclosure] Urgent Alert: > > Possible BlackWorm DDay February3rd (Snort signatures > > included) > > > > > > On 1/24/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > > > > > now known as the TISF BlackWorm task force. > > > > Why do you call a .scr you have to manually install a > > "worm"? Why not "BlackVirus" > > > > the worm moniker is very misleading (actually got me > > worried for a sec). The "email worm" is also misleading, > > because it only propagates through port 25, but that is > > not the point of entry. The point of entry is the user > > running a visual basic script _willingly_. > > > > Just so I know, what would you guys classify a real worm > > (blaster, slammer, nimda, etc) as? Or would you just call > > it an "internet worm" instead of an "email worm" and leave > > it at that? > > > > thanks for the mis-info, > > > > -JP > > "still love ja tho" > > -JP > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: > > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
