[Esd-l] Worm(?) warning

Scott Taylor scott at dctchambers.com
Mon Jun 24 07:33:00 PDT 2002

At 05:25 PM 23/06/2002, John D. Hardin wrote:
>Hey, all.
>Over the weekend I've gotten two messages that are rather suspicious:
>messages with file attachments from people that I don't regularly
>correspond with.
>What's odd is that the file attachments were named "Nieuw -
>Tekstdocument.DOC" and "Nieuw - Tekstdocument.ZIP", yet they were both
>Windows executables.

Isn't that special?  Looks like M$ has done it to us again.

>I don't know whether this is a clumsy user or a clumsy worm, as I
>don't think either would actually get executed if double-clicked.

More like a clumsy OS, trying to make the lives of computer illiterates 
easier, however more dangerous.

>Anyway, FYI. Probably yet another attack of some sort.
>I'm beginning to think that the sanitizer should do some very limited
>signature scanning, just enough to identify Windows PE format and
>mangle if the attachment matches that regardless of the filename.

That's not a bad idea, but there you go again trying to keep up with the 
ever changing, ever elusive, M$ world of tricks and tics.  Might be best to 
make another module for this, so you can easily add rules to look for 
inside these  files.



>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
>  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>  "To disable the Internet to save EMI and Disney is the moral
>   equivalent of burning down the library of Alexandria to ensure the
>   livelihood of monastic scribes."
>                                     -- John Ippolito of the Guggenheim
>    334 days until The Matrix Reloaded
>Esd-l mailing list
>Esd-l at spconnect.com

More information about the esd-l mailing list