phew, I got about 200 replies from antivirus programs about "virus contained in a message". I wonder what's the use of marking this _perl_ script as a virus - it is an exploit program, no more, no less... Looks like it's a rather non-creative attempt by virus-scanner makers to stop some popular exploits (or to have a reason to say that their signature base is very big :) ) regards, Vitaly. ----- Original Message ----- From: "Vitaly Osipov" <vosipovat_private> To: <INCIDENTSat_private> Sent: Monday, May 14, 2001 4:58 PM Subject: recent sadmin worm > > > Hi all, > > > > I've got a copy of this (popular :) ) Solaris-Microsoft worm... and I am > > really surprised by it's IIS exploit - it's just an old unicode thing... > > people should thank heavens that the anonymous writer did not add a new > IIS > > 5.0 web printer bug :) > > > > by default the worm itself sits in /dev/cuc - check it if you have a > Solaris > > box :) > > > > if somebody is interested in developing signatures/whatever, I attach here > > worm's iis defacement script. The worm itself, btw, is rather small (20 kb > > in zip if you exclude things like wget, gzip and nc - it carries them as > > well, so "full version" is ~700kb) > > > > regards, > > Vitaly. > > >
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 08:29:50 PDT