[Dshield] Re: list Digest, Vol 12, Issue 10

Kenneth Coney superc at visuallink.com
Mon Dec 8 14:57:50 GMT 2003

An amusement, which should hopefully point out to him no one is ever really 
safe.  He got a strange attachment called error in a spam back in June and 
lo and behold, he does have an AV of some kind, something called F-protect. 
  It scanned and declared the file safe, so he read it on the DOS machine. 
  He thought it looked funny (his description was "<title>Error</title> 
<script language=vbs> malware=[ here follow about a hundred lines of hex 
numbers, all separated by commas.  Beneath the lines of hex numbers there 
is a blank line followed by some lines of script which I vaguely
interpret as telling a program to make calls to command.com and to
execute a number of looping instructions and to write malware.  The
word "malware", as such, actually appears several times in the script.") 
and sent it to me for possible recognition/identification.  Instant 
recognition on my end upon receipt of the attachment.  It was 
Downloader.Bo.B.dr  So much for the safety of reliance on F-prot.

I sent him to Shields Up for a test as I wanted to hear how the scanner 
there read him.  According to him, it didn't.  Using the DOS text browser 
Lynx386 which has SSL capability he was able to learn his IP number (which 
he already knew) and his logon ID and nothing else.  When he tried to go to 
the site with the Links browser version that comes with his BasicLinux 
distro he couldn't get there because that version doesn't have SSL 
capability.  I guess Mr. Gibson didn't anticipate a scan on a DOS only 
machine.  :)

More information about the list mailing list