[Dshield] Taking the courtesy of warning about links to infected or malicious web pages
Johannes B. Ullrich
jullrich at sans.org
Thu Mar 18 21:07:24 GMT 2004
> 1) Does this university's web page actually contain viral code?
sort off. It looks like a full copy of a virus in its original BASE64
> 2) Or does the web page merely contain enough of the viral code to match the
> virus' signature, and hence cause the alert?
The virus looks complete. So I am not surprised that the AV was set off.
The same data would have been seen on your network connection if you
just received an infected mail.
> 3) Is the existence of the viral code in the browser's temporary cache file
> harmful or harmless?
not in this form. It would take some 'work' to actually launch it.
> 4) If the code is actually viral, is it also hostile?
I would rate that post at not hostile. If you take the message as
posted, you could base64 decode it, safe it, and execute it. A
bit too much work to infect yourself.
> 5) Could the viral code activate, if left unnoticed in the browser's cache
> 6) Should the university be notified about the web page causing alerts by
> anti-virus programs?
no. This post is harmless, and the code is widely known (everyone here
probably got a few samples in their AV quarantaine directory).
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040318/107692bf/attachment.bin
More information about the list