> Hi all, > > I've got a copy of this (popular :) ) Solaris-Microsoft worm... and I am > really surprised by it's IIS exploit - it's just an old unicode thing... > people should thank heavens that the anonymous writer did not add a new IIS > 5.0 web printer bug :) > > by default the worm itself sits in /dev/cuc - check it if you have a Solaris > box :) > > if somebody is interested in developing signatures/whatever, I attach here > worm's iis defacement script. The worm itself, btw, is rather small (20 kb > in zip if you exclude things like wget, gzip and nc - it carries them as > well, so "full version" is ~700kb) > > regards, > Vitaly. >
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 15:09:06 PDT