[36728] in bugtraq
Re: GDI Virus in the wild.
daemon@ATHENA.MIT.EDU (GuidoZ)
Wed Sep 29 03:18:52 2004
Message-ID: <b7bc1b1f04092812186cc20955@mail.gmail.com>
Date: Tue, 28 Sep 2004 12:18:04 -0700
From: GuidoZ <uberguidoz@gmail.com>
Reply-To: GuidoZ <uberguidoz@gmail.com>
To: Gerry Eisenhaur <geisenhaur@cisco.com>
Cc: ben@easynews.com, bugtraq@securityfocus.com
In-Reply-To: <41586DC6.2010200@Cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
The FTP site that was hosting the files was taken down. If anyone
would like to take a peek at the files used (for educational purposes
only of course), let me know off list. I grabbed a copy.
I'd also have to agree with Gerry. This doesn't replicate or spread
once executed - it just exploits the local machine, installing a
trojan/irc-bot, then connecting back. Still the first of it's kind
that I'd seen.
--
Peace. ~G
On Mon, 27 Sep 2004 15:45:10 -0400, Gerry Eisenhaur
<geisenhaur@cisco.com> wrote:
> It's not a virus, just a connect back (82.1.163.241:55000) cmd shell
> exploit.
>
> /gerry
>
> Ben wrote:
> > Allo,
> >
> > There is now a GDI+ jpeg exploiting virus in the wild. It was posted
> > on Mon, 27 Sep 2004 01:25:52 GMT via NNTP to multiple news groups by a
> > single person.
> >
> > See the following for details:
> > http://www.easynews.com/virus.txt
> >
> > You can see the virus here:
> > http://easynews.com/test/possiblevirus.jpg.gz
> >
> >
> > - IsolationX
> >
> >
>
> --
> Gerald Eisenhaur
> Cisco Systems, Inc.
> 1414 Massachusetts Ave.
> Boxborough, Massachusetts 01719
> voice: 978.936.0465
> geisenhaur@cisco.com
