[Dshield] Taking the courtesy of warning about links to infected or malicious web pages

Johannes B. Ullrich jullrich at sans.org
Thu Mar 18 21:07:24 GMT 2004

> 1) Does this university's web page actually contain viral code?

sort off. It looks like a full copy of a virus in its original BASE64 
encoded form.

> 2) Or does the web page merely contain enough of the viral code to match the
> virus' signature, and hence cause the alert?

The virus looks complete. So I am not surprised that the AV was set off.
The same data would have been seen on your network connection if you 
just received an infected mail.

> 3) Is the existence of the viral code in the browser's temporary cache file
> harmful or harmless?

not in this form. It would take some 'work' to actually launch it.

> 4) If the code is actually viral, is it also hostile?

I would rate that post at not hostile. If you take the message as
posted, you could base64 decode it, safe it, and execute it. A
bit too much work to infect yourself.

> 5) Could the viral code activate, if left unnoticed in the browser's cache
> file?


> 6) Should the university be notified about the web page causing alerts by
> anti-virus programs?

no. This post is harmless, and the code is widely known (everyone here
probably got a few samples in their AV quarantaine directory).

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040318/107692bf/attachment.bin

More information about the list mailing list