On Fri, 2 Oct 1998, Kameron Gasso wrote: > This might be an unreleased Back Orifice plugin from an internet user who > dislikes GeoCities (only speculation). Odds are, it was distributed > widely over IRC in a Warez package or something similar. I have a feeling this is some kind of plugin that has dynamic loading of trojan code: - It is trying to download a .zip file from geocities. Presence of "winrar" in the registry keys hints that it will uncompress the file. (WinRAR is a .rar archive program that also supports .zip, .arj, etc. Sortof like WinZip). - The reason it has turned into a flood attack is because it's probably set to retry on failure, OR it was coded to re-get the file once in a while so that the author can "upgrade" the trojan code by placing a new .zip file on geocities server. This "once in a while" was set to 30 seconds by mistake. - I don't think this was meant as an attack on GeoCities. Even at current frequency it's very little percentage of total traffic handled by their servers. I'm sure they noticed this not because their servers were DoSed, but rather because they don't any member sites that receive millions of visitors daily. I don't see any way to fight this except of trying to spread the knowledge about BO and possible a BO-remover/detecter along with it. --Vitaliy.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:36 PDT