[Esd-l] Re: [Esa-l] Sanitizer rule for Novarg .ZIP attack

Jeff Bettes jbettes at gracewild.com
Thu Jan 29 14:52:39 PST 2004


Yah, I've seen that too...


from

http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html
(bottom of page)

> The worm also prepends any of the following names to the domain name obtained:
> 
>     * adam
>     * alex
>     * alice
>     * andrew
>     * anna
>     * bill
>     * bob
>     * brenda
>     * brent
>     * brian
etc....


Tristan Griffiths wrote:


> Has anyone else noticed the behavior of the worm where it is sending to 
> what seems a dictionary or names in the one domain? Like 'bob at stomp', 
> 'fred at stomp', 'joe at stomp', etc...?
> 




More information about the esd-l mailing list