On Tue, Sep 11, 2001, Raju Mathur wrote:
> >>>>> "mukund" == mukund <[EMAIL PROTECTED]> writes:
>
> mukund> To me it looks like an hoax and an attempt to
> mukund> install Trojan. The author has not given how the
> mukund> virus will spread?
>
> Are you saying this after examining the code, or just
> intuition? I haven't heard anything about this program being a
> trojan so far, and if it were I'd definitely have got some
> news from BUGTRAQ or other sources by now.
>
> mukund> As simple file size check would detect the virus,
> mukund> why run binaries from the author?
>
> mukund> The author signs as
> >> Regards, - anonymous
>
> mukund> Should we believe him?
>
> Why not? It's possible s/he's protecting her identity to avoid
> future prosecution under the infamous DMCA. Maybe s/he's
> Dmitry's sister/brother?:-)
>
> mukund> I think this is an hoax, and do not run any binary
> mukund> to detect the so called virus.
>
> Again, some rationale for this would be useful. If you have
> reasonable proof or doubt, let's let the world know.
>
> mukund> Raju, I wish you should have checked the
> mukund> authenticity before posting such stuff, which
> mukund> might create unnecessary panic among the lister.
>
> I did what I had to: released the advisory, and warned about
> the authenticity. I work on the principle that other people
> are smart enough not to do something which they're unsure of
> if they've been explicitely warned in large type.
>
> -- Raju
Raju,
I have downloaded the code. The perl section is innocuous,
but the program kill.c still needs some exploration. There are
portions which I could not understand. I could not find any
propagation mechanism in within the perl or the C program. How
does it spread ?
It may be a part program where the infection mechanism is
withheld and only the "immunity" mechanism is being circulated.
Secondly, one thing which surprised me is this section:
// physically move data from (poffset->eof), 4096 bytes forward
if (movedata(fp, poffset, poffset+4096, stat.st_size -poffset) != 0)
This is the section which is supposed to protect. Moving the
code segment by 4k merely creates a "hole" ... what's this for ?
I suppose it would be better to refer this matter to Symantec
or other pros in this field ...
Bish
--
:
####[ Linux One Stanza Tip (LOST) ]###########################
Sub : Learning PERL techniques LOST #069
Is there a good place to learn snarky PERL TECHNIQUES ? One of
my favorite is http://webtechniques.com where Randall Schwartz
contributes a monthly sample, explaining line-by-line what his
code does, and why. (Look under "Programming with Perl" in the
archives.)
####<[EMAIL PROTECTED]>######################################
:
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
