I don't believe that you'll find that hex string in many of the entities afflicted with that virus. In fact, it is more likely found in entities not afflicted when encountering those that are afflicted. There are several hex strings I've noted in those afflicted: %57%68%61%74%3f%20%20%43%61%6e%27%74%20%79%6f%75%20%73%70%65%61%6b%20%75%70% 3f %49%74%20%77%61%73%20%62%65%74%74%65%72%20%69%6e%20%6d%79%20%64%61%79%21 %44%61%6d%6e%20%6b%69%64%73 %57%68%65%72%65%20%64%69%64%20%49%20%70%75%74%20%6d%79%20 %4e%6f%2c%20%49%27%6d%20%6e%6f%74%20%67%65%74%74%69%6e%67%20%6f%6c%64%2e%20% 20%49%20%63%61%6e%20%73%74%69%6c%6c I believe any of these are a surer marker of the virus than the one Andrew posted. -----Original Message----- From: Andrew Plato [mailto:aplato@private] Sent: Tuesday, January 14, 2003 4:08 PM To: crime@private Cc: vancek@private Subject: RE: CRIME FW: Virus Alert Here's the hex capture from that virus in case you wanted to add a signature to your IDS to catch it: %59%6F%75%20%61%72%65%20%61%6E%20%6F%6C%64%20%66%61%72%74%21 ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ > -----Original Message----- > From: Kelly Vance [mailto:vancek@private] > Sent: Tuesday, January 14, 2003 1:42 PM > To: soren.j.winslow@private > Cc: crime@private > Subject: Re: CRIME FW: Virus Alert > > > I think Trend Micro is calling this threat C-Nility, but I > can't remember. > >
This archive was generated by hypermail 2b30 : Wed Jan 15 2003 - 09:26:04 PST