[Dshield] Blocked Dshield list

Micheal Patterson micheal at tsgincorporated.com
Tue Sep 23 15:20:54 GMT 2003


----- Original Message ----- 
From: "Bruyere, Michel" <mbruyere at ezemcanada.com>
To: "'General DShield Discussion List'" <list at dshield.org>
Sent: Tuesday, September 23, 2003 8:51 AM
Subject: RE: [Dshield] Blocked Dshield list


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm getting some too,
> The latest one for me is
>
> The message with Subject Re: [Dshield] headers of MS patch is infected
with
> MIRC/Generic. From: Micheal Patterson <micheal at tsgincorporated.com>. To:
> General DShield Discussion List <list at dshield.org>. Detected with Scan
> Engine 4.2.60 DAT version 4.2.4294
>
> Is it really an infection or just "code sample" that are recognized as
> infection?
>
>
> M.Bruyere

----------

What I did, was take the executable, put it on a unix system, run strings on
it to pull out the ascii text of the binary and posted portions of it to the
list. It's triggered some av systems. In a nutshell, I posted relevant
portions that appear to indicate that this is not only passed via email
(from fake MS notice, as well as a Postfix daemon return error), but it also
puts hooks into mIRC, IRC, USnet, and Kazza for distribution and has a
builtin smtp client.


--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.





More information about the list mailing list