[Esd-l] Worm(?) warning

John D. Hardin jhardin at impsec.org
Sun Jun 23 17:30:02 PDT 2002

Hey, all.

Over the weekend I've gotten two messages that are rather suspicious:
messages with file attachments from people that I don't regularly
correspond with.

What's odd is that the file attachments were named "Nieuw -
Tekstdocument.DOC" and "Nieuw - Tekstdocument.ZIP", yet they were both
Windows executables.

I don't know whether this is a clumsy user or a clumsy worm, as I
don't think either would actually get executed if double-clicked.

Anyway, FYI. Probably yet another attack of some sort.

I'm beginning to think that the sanitizer should do some very limited
signature scanning, just enough to identify Windows PE format and
mangle if the attachment matches that regardless of the filename.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
   334 days until The Matrix Reloaded

More information about the esd-l mailing list