[Esd-l] Addition to poisoned list
John D. Hardin
jhardin at impsec.org
Tue Dec 17 07:00:04 PST 2002
On Mon, 16 Dec 2002, Mark_Saunders wrote:
> It would probably be wise to add the "ceo" extension to the poisoned
> list.
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WINEVAR.A&VSect=T
I don't think that's necessary. The .CEO extension is only executable
if the active HTML in the message is able to create a registry mapping
for that extension, and I expect the HTML defanger will disable that
part of the attack.
Also, if the worm writer had his head screwed on straight, he would
have written the worm to randomly generate the extension on every
attack message, which would put us in the position of mangling *all*
extensions.
Side note: this model is really getting long in the tooth. I need to
get back to active development so that the new model can be
implemented. I apologize for not being able to devote much time to
this lately.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Tomorrow: The Two Towers
More information about the esd-l
mailing list