Given the timing of the launch of this thing (almost exactly a week after the WTC attack), it seems important to understand the payload as quickly as possible. I suggest looking for time-based switches in the code. If it were to have some damage mode, it might well spread for a while and then switch to causing some other kind of damage. So looking at the code right after a call to get the system time might be very valuable. Stuart. -- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuartat_private http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 11:45:59 PDT