Pluto <plutoat_private> wrote: > has someone tried to change the date on an infected system to see if he > realy starts again? Indeed, people have done this, but there are gotchas because of the various *different* sleep states that threads go into in different parts of the code. Unwary "testing" of this kind can easily lead to the wrong answer, as it alreay has for several high-profile security experts and I'm sure is at least part of the cause for why some experts say "the worm can wake up -- we have seen it in the lab" and why other experts are saying "in-depth code analysis *and* our tests show the worm does not re-awaken 'naturally'". -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 15:14:59 PDT