Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

2006-01-28 Thread Charles Cala
--- Dude VanWinkle [EMAIL PROTECTED] wrote: Why do you call a .scr you have to manually install a worm? http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to

Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

2006-01-27 Thread Holger van Lengerich
Hi, On Tue, Jan 24, 2006 at 01:52:39PM -0500, Dude VanWinkle wrote: On 1/24/06, Gadi Evron [EMAIL PROTECTED] wrote: now known as the TISF BlackWorm task force. Why do you call a .scr you have to manually install a worm? Why not BlackVirus RTFW: http://en.wikipedia.org/wiki/Computer_worm

Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

2006-01-27 Thread Dude VanWinkle
On 1/27/06, Charles Cala [EMAIL PROTECTED] wrote: BlackWorm has a LAN infection vector. So does some kid hacking directly into your box, but he isnt a worm No action on the part of the user of the box on the LAN must happen for them to get got, thus this is a worm.

Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

2006-01-25 Thread Gaddis, Jeremy L.
Gadi Evron wrote: This is an urgent alert released by the cooperative efforts of the MWP / DA groups that also worked on the hurricane Rita scams. This task force is now known as the TISF BlackWorm task force. This task force involves many in the security (anti spam, CERTs, anti virus, academia,

Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

2006-01-25 Thread Kevin
Is there anything unique about the URL for the request BlackWorm makes towards webstats.web.rcn.net, such as the arguments to df= ? I have logs of HTTP requests towards this host, but since I don't log the full HTTP request with Referer, I'm not sure if these are legit or infected. Thanks,

Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

2006-01-25 Thread Frank Knobbe
On Wed, 2006-01-25 at 17:54 -0600, Kevin wrote: Is there anything unique about the URL for the request BlackWorm makes towards webstats.web.rcn.net, such as the arguments to df= ? The worm accesses a unique number after the df=. If you supply a differnet number, you access (or create) a

[Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

2006-01-24 Thread Gadi Evron
Hello. This is an urgent alert released by the cooperative efforts of the MWP / DA groups that also worked on the hurricane Rita scams. This task force is now known as the TISF BlackWorm task force. This task force involves many in the security (anti spam, CERTs, anti virus, academia, ISP's,

Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

2006-01-24 Thread Dude VanWinkle
On 1/24/06, Gadi Evron [EMAIL PROTECTED] wrote: now known as the TISF BlackWorm task force. Why do you call a .scr you have to manually install a worm? Why not BlackVirus the worm moniker is very misleading (actually got me worried for a sec). The email worm is also misleading, because it only