[Esd-l] Worm(?) warning
Darryl Ross
dross at syc.net.au
Sun Jun 23 21:00:02 PDT 2002
Windows 2000 will actually do (what I'd explain as a) `file` command on
the file and then loads the applicable program. Not sure how it does it,
but it will load up Office documents, etc, that have been renamed by the
sanitiser.
Darryl
--
Darryl Ross
Senior Network and Systems Administrator
Service to Youth Council Inc
dross at syc.net.au
> Hey, all.
>
> Over the weekend I've gotten two messages that are rather suspicious:
> messages with file attachments from people that I don't regularly
> correspond with.
>
> What's odd is that the file attachments were named "Nieuw -
> Tekstdocument.DOC" and "Nieuw - Tekstdocument.ZIP", yet they were both
> Windows executables.
>
> I don't know whether this is a clumsy user or a clumsy worm, as I
> don't think either would actually get executed if double-clicked.
>
> Anyway, FYI. Probably yet another attack of some sort.
>
> I'm beginning to think that the sanitizer should do some very limited
> signature scanning, just enough to identify Windows PE format and
> mangle if the attachment matches that regardless of the filename.
>
> --
> John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> jhardin at impsec.org pgpk -a jhardin at impsec.org
> 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
> 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> "To disable the Internet to save EMI and Disney is the moral
> equivalent of burning down the library of Alexandria to ensure the
> livelihood of monastic scribes."
> -- John Ippolito of the Guggenheim
> -----------------------------------------------------------------------
> 334 days until The Matrix Reloaded
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
More information about the esd-l
mailing list