If anyone is interested in the files this GDI exploit downloaded from the FTP file (mentioned in the Easynews txt; it's now down), I grabbed a copy. Interesting indeed. I've also archived the Easynews write-ups and the "infected" JPEG itself. It's not exactly a virus being that it doesn't replicate or spread in any way, just a connect back which downloads some torjan/irc-bot files. (List of files available on the Easynews.txt page.)
Email me off list for a link of it all. -- Peace. ~G On Tue, 28 Sep 2004 16:19:40 -0500, Todd Towles <[EMAIL PROTECTED]> wrote: > This was sent out on FD this morning as a password protected ZIP file. > > I downloaded a copy via wget, both my proxy AV and my desktop AV were > able to detect it as a MS04-028 expolit. > > The story was also posted to Slashdot.org last night > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Barrie > Dempster > Sent: Tuesday, September 28, 2004 3:16 PM > To: Barry Fitzgerald > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] JPEG GDI > > On Tue, 2004-09-28 at 19:56, Barry Fitzgerald wrote: > > Yep - in fact I was reading this morning on http://isc.sans.org/ that > > one was just found on an adult newsgroup. > > > > -Barry > > Indeed Barry, heres more information on that for you or others > interested http://easynews.com/virus.html > > I know the file itself has already been posted to the list but this link > gives some preliminary analysis of if it too, which shows it as a trojan > infection vector and not really a virus in the traditional sense. > > -- > Barrie Dempster (zeedo) - Fortiter et Strenue > > http://www.bsrf.org.uk > > [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
