[Esd-l] Re: [Esa-l] Sanitizer rule for Novarg .ZIP attack
Jeff Bettes
jbettes at gracewild.com
Thu Jan 29 14:52:39 PST 2004
Yah, I've seen that too...
from
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
(bottom of page)
> The worm also prepends any of the following names to the domain name obtained:
>
> * adam
> * alex
> * alice
> * andrew
> * anna
> * bill
> * bob
> * brenda
> * brent
> * brian
etc....
Tristan Griffiths wrote:
> Has anyone else noticed the behavior of the worm where it is sending to
> what seems a dictionary or names in the one domain? Like 'bob at stomp',
> 'fred at stomp', 'joe at stomp', etc...?
>
More information about the esd-l
mailing list