[Esd-l] Worm(?) warning
John D. Hardin
jhardin at impsec.org
Sun Jun 23 17:30:02 PDT 2002
Hey, all.
Over the weekend I've gotten two messages that are rather suspicious:
messages with file attachments from people that I don't regularly
correspond with.
What's odd is that the file attachments were named "Nieuw -
Tekstdocument.DOC" and "Nieuw - Tekstdocument.ZIP", yet they were both
Windows executables.
I don't know whether this is a clumsy user or a clumsy worm, as I
don't think either would actually get executed if double-clicked.
Anyway, FYI. Probably yet another attack of some sort.
I'm beginning to think that the sanitizer should do some very limited
signature scanning, just enough to identify Windows PE format and
mangle if the attachment matches that regardless of the filename.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"To disable the Internet to save EMI and Disney is the moral
equivalent of burning down the library of Alexandria to ensure the
livelihood of monastic scribes."
-- John Ippolito of the Guggenheim
-----------------------------------------------------------------------
334 days until The Matrix Reloaded
More information about the esd-l
mailing list