[Esa-l] Yet another "double extension" worm (Caught by filter)
Brett Glass
brett at lariat.org
Mon Jun 19 10:20:22 PDT 2000
At
http://www.symantec.com/avcenter/venc/data/vbs.stages.a.html
Symantec describes a new worm which uses the "double extension" trick.
Fortunately, due to the recent addition of new executable extensions,
John's filter should catch this one with no modifications. (Way to go!)
The increasing incidence of this sort of worm strengthens the case for
treating files with double extensions (in particular, .txt.<executable
extension>) with extreme prejudice, perhaps quarantining them even if
they'd just be "defanged" otherwise.
--Brett
More information about the esd-l
mailing list