care to share?
Dude I'll e-mail you a very temporary link to the executable,
off the list. Just share it further using your own bandwidth
instead of mine please. I've done likewise with a few other
people who requested a sample, but don't have time to respond
to each request individually.
If you want to post it on your own box and share it with the
full "full disclosure" list, that's up to you.
I see Symantec came up with an advisory 10-11 hours after they
got a sample, yet still got a couple things wrong. My 411 wasn't
completely comprehensive either, but I'm not getting paid to
analyze malware for the masses and don't have a dedicated lab,
l33t expensive tools, and a paycheck dedicated to such things.
On all the infections I've seen (I work for a large international
organization, so malware presence is a given...due to technical
constraints I'll not delve into at the moment) there were no
e-mail impacts. Also I didn't see the Was*.tmp DLL they mention
on most boxes. Also they don't mention that "multiple" reg keys
may be added to the Run folder. Lastly they don't point out that
"worm" propagation based on the PnP vulnerability only occurs on
the Win2K boxes. Win2K3 and WinXP require some user/machine action
to exploit the vulnerability, and the malware can't infect those
boxes independently. I don't think I mentioned that either, but
figure most on this list know such things. AV vendors shouldn't
make such assumptions though.
The behavior varied from workstation to server. On one server
the malware was constantly creating 1.7GB executable files and
eating up 100% of the CPU. That box was a very unique animal
though and I doubt most would see that on your average server.
Peace,
Vic
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
