It appears that there are not only a significant number of different filenames floating around, but each file is also a different size, including the ones of the same filename. A brief look at the last recent messages I've gotten reveals there's not one that is the same: -rw-rw-r-- 1 jonz l33t 72966 Aug 19 16:03 application-2.pif -rw-rw-r-- 1 jonz l33t 75611 Aug 19 16:02 application.pif -rw-rw-r-- 1 jonz l33t 74984 Aug 19 16:02 details.pif -rw-rw-r-- 1 jonz l33t 72727 Aug 19 16:02 document_9446-2.pif -rw-rw-r-- 1 jonz l33t 76166 Aug 19 16:00 document_9446.pif -rw-rw-r-- 1 jonz l33t 72587 Aug 19 16:02 movie0045-2.pif -rw-rw-r-- 1 jonz l33t 72845 Aug 19 16:02 movie0045.pif -rw-rw-r-- 1 jonz l33t 73021 Aug 19 16:03 wicked_scr-2.scr -rw-rw-r-- 1 jonz l33t 74915 Aug 19 16:03 wicked_scr-3.scr -rw-rw-r-- 1 jonz l33t 74177 Aug 19 16:00 wicked_scr.scr -rw-rw-r-- 1 jonz l33t 73954 Aug 19 16:02 your_details.pif -rw-rw-r-- 1 jonz l33t 74893 Aug 19 16:00 your_document.pif There's a lot of useful info on the F-Secure and Norton pages, but I don't see anything about it mutating. I wonder if it is storing some kind of source information from each machine. Guess it's time to disassemble it. --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 21:02:54 PDT