RE: [Full-disclosure] Virus Outbreak Attacking MS05-039 WIN2K

[Todd Towles]

That is very possible, but a "update" would have to be made to the bot client to get this webserver on the box with a phishing site. So why not just wait and do the DNS poison when the website is up and working, instead of before...this just tells people that something is wrong.   It doesn't help the worm, it is just leftover junk from the Mytob - as Joe pointed out.   -Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Nielsen Sent: Monday, August 15, 2005 11:14 AM To: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Virus Outbreak Attacking MS05-039 WIN2K Perhaps the next phase of the virus is a phishing attack to get people to go to a local webserver initiated by the virus to capture login/credentials from those site ?   Jan   -----Original Message----- From: Andrew Smith [mailto:[EMAIL PROTECTED]] Sent: 15. august 2005 17:27 To: Mike Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Virus Outbreak Attacking MS05-039 WIN2K   Can anyone explain why this virus chooses to block ebay, amazon and paypal? This seems foolish if the intention is to remain on the compromised host un-noticed.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/