[Esd-l] Addition to poisoned list

John D. Hardin jhardin at impsec.org
Tue Dec 17 07:00:04 PST 2002

On Mon, 16 Dec 2002, Mark_Saunders wrote:

> It would probably be wise to add the "ceo" extension to the poisoned
> list.
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WINEVAR.A&VSect=T

I don't think that's necessary. The .CEO extension is only executable
if the active HTML in the message is able to create a registry mapping
for that extension, and I expect the HTML defanger will disable that
part of the attack.

Also, if the worm writer had his head screwed on straight, he would
have written the worm to randomly generate the extension on every
attack message, which would put us in the position of mangling *all*

Side note: this model is really getting long in the tooth. I need to
get back to active development so that the new model can be
implemented. I apologize for not being able to devote much time to
this lately.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
   Tomorrow: The Two Towers

More information about the esd-l mailing list