> I attempted to grab that package in order to take a look at it, but the > link seems to be dead. On top of that, the IP seems to be dead. Did you > get a chance to grab the archive earlier ? If so, please send it to me, no > need to post it to the list unless others want it. > > I'm going on a drive tommorow, and it would be nice to have something to > occupy myself with :) I have a copy that someone else managed to snag. Jonathan, I'll send you a copy in another email. If anyone else wants it, please feel free to ask. What I've come up with so far is this: The vector appears to be a zip file that contains an HTML file. The HTML file has, at the beginning of it, a base64-encoded executable of some sort. Unfortunately, I lack the resources to analyze it further. (Anyone have a good x86 disassembler or decompiler they'd like to suggest?) The text of the document is output through javascript. Presumably it uses this to execute the embedded executable. I'm told this only works in IE but haven't seen fit to experiment myself. (Is this behavior expected or is it a bug?) I have been told that as of 8:30 BST (GMT+0100), the worms appeared to have stopped. I would guess that this is some sort of timing routine built into the worm. Whether or not it'll restart again remains to be seen, but I haven't seen any activity for a while. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician) ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jun 28 2003 - 10:25:37 PDT