Re: GDI Virus in the wild.

To: Gerry Eisenhaur <geisenhaur@xxxxxxxxx>
Subject: Re: GDI Virus in the wild.
From: GuidoZ <uberguidoz@xxxxxxxxx>
Date: Tue, 28 Sep 2004 12:18:04 -0700
Cc: ben@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <41586DC6.2010200@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <1096266888.7939.7.camel@xxxxxxxxxxxxxxxxxxxxx> <41586DC6.2010200@xxxxxxxxx>
Reply-to: GuidoZ <uberguidoz@xxxxxxxxx>

The FTP site that was hosting the files was taken down. If anyone
would like to take a peek at the files used (for educational purposes
only of course), let me know off list. I grabbed a copy.

I'd also have to agree with Gerry. This doesn't replicate or spread
once executed - it just exploits the local machine, installing a
trojan/irc-bot, then connecting back. Still the first of it's kind
that I'd seen.

--
Peace. ~G

On Mon, 27 Sep 2004 15:45:10 -0400, Gerry Eisenhaur
<geisenhaur@xxxxxxxxx> wrote:
> It's not a virus, just a connect back (82.1.163.241:55000) cmd shell
> exploit.
> 
> /gerry
> 
> Ben wrote:
> > Allo,
> >
> > There is now a GDI+ jpeg exploiting virus in the wild.  It was posted
> > on  Mon, 27 Sep 2004 01:25:52 GMT via NNTP to multiple news groups by a
> > single person.
> >
> > See the following for details:
> > http://www.easynews.com/virus.txt
> >
> > You can see the virus here:
> > http://easynews.com/test/possiblevirus.jpg.gz
> >
> >
> > - IsolationX
> >
> >
> 
> --
> Gerald Eisenhaur
> Cisco Systems, Inc.
> 1414 Massachusetts Ave.
> Boxborough, Massachusetts 01719
> voice:  978.936.0465
> geisenhaur@xxxxxxxxx

References:
- GDI Virus in the wild.
  - From: Ben
- Re: GDI Virus in the wild.
  - From: Gerry Eisenhaur

Prev by Date: Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes
Next by Date: Re: Microsoft's GDI Detetection Tool faults
Previous by thread: Re: GDI Virus in the wild.
Next by thread: Broadcast crash in Chatman 1.5.1 RC1
Index(es):
- Date
- Thread