[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] New virus

To: "'Full Disclosure'" <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] New virus
From: Joe Stewart <jstewart@lurhq.com>
Date: Wed, 26 Nov 2003 08:52:46 -0500

On Tuesday 25 November 2003 5:17 pm, Steven Harrison wrote:
> Just for fun, I pointed my web browser at
> http://finance.red-host.com/events.php and all I got back was:
>
> exec:http://wendy35.phpwebhosting.com/netm.exe
>
> I retrieved that file, and running it 'strings' does imply that it
> will contact a remote website. It could be a copy of the virus (I
> have yet to recieve one yet), giving it another way to distribute
> itself, or for the author to distribute improved versions.

It's a DoS attack tool, the target of which is the website you see in 
the strings output. Its only function is to flood the remote host with 
ICMP and HTTP traffic.

-Joe

--
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] New virus
  - From: "Andrew Thomas" <andrewt@nmh.co.za>
- Re: [Full-Disclosure] New virus
  - From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh@nsrg-security.com>
- Re: [Full-Disclosure] New virus
  - From: Steven Harrison <security@smharr4.dnsalias.net>

Prev by Date: Re: [Full-Disclosure] Nokia IPSO
Next by Date: RE: [Full-Disclosure] Nokia IPSO
Previous by thread: Re: [Full-Disclosure] New virus
Next by thread: RE: [Full-Disclosure] New virus
Index(es):
- Date
- Thread