[Nick W]

Mon, Sept 27th - Reports have come in about a JPEG virus released to USENET earlier today. In actuality, this appears to be primarily a trojan and not a worm, however it is unclear on what kinds of spreading capabilities (if any) might be added at a future date. The infected computers so far are being controlled by one individual.

A worm may be 24 hours or less away.

Slashdot Coverage: http://it.slashdot.o...tid=172&tid=218

Be sure to update the GDI dll on all computers. For help consult the following link:
http://isc.sans.org/gdiscan.php

The above link is to a tool which will check for any programs that might be using an exploitable version of the GDI driver. Suggestion is to update as needed.

For more information about this exploit here on the GSO forums:
Trial Member Forums:
http://www.governmen...showtopic=11524
http://www.governmen...showtopic=11511
http://www.governmen...showtopic=11212

Exploit R&D Forums:
http://www.governmen...showtopic=11473
http://www.governmen...showtopic=11406

File Downloads Forums:
http://www.governmen...showtopic=11495

The last one (above) includes M4Z3Rs code, cross-posted WITHOUT PERMISSION FROM M4Z3R shortly after to K-OTik.

[KuerbY]

"Virus" this is big crap
it downloads vnc,radmin,servu,servu ircu plugin,fport,nc and many more
what a crappy shit

ill hope they get him *filtered filtered*

that makes me so sad...

[jpno5]

Guys its not a fuckin virus of any kind its just a bind shell an no it didnt have (filtered) ALL to do with me, one of my ex team members was testin it out , looks like it was on a honeypot lol. anyway can uz stop joing the irc server im sick of bannin ur asses

[andydis]

wonder if m4z3r's abit chessed off about this?
he'll have the FBI round his soon :-)
LOL

Quote

anyway can uz stop joing the irc server im sick of bannin ur asses

did i miss something?���

[KuerbY]

jpno5 gone crazy
we cant help him :(

[wanksta]

Don't trust Microsoft's detection tool (published by The SANS). It faults. I've read that it doesn't really work. Finally the Bug still exists :(

Be warned don't trust only MS's detection tool! Do all steps to patch your machines.


wanksta

[M4Z3R]

I'm a bit disapointed that people just post other plp's sploit on very "public" web sites, without their permission. Anyways, I guess next version will be private :ph34r:

[Nick W]

Might be a good idea to keep it private, yeah. And that's funny that it was someone you know who posted it, jpno5. It was posted on /. earlier. So they'll keep coming in for a while.

[isaiah]

you know the gso logo is a jpeg virus hehe you all infected into G-Secure and Cos BotNet / Warez Server

hehe jk

who cares if yoru smart patch up your machine.

[h3llraz0r]

found this today from the sans Internet storm center

New virus behavior

Our fellow handler Patrick Nolan sent this news about the Surila.k virus. According to the VirusList.com website "In order to gain full access to the Internet, Surila registers itself in the Windows FirewallPolicy, thereby becoming a legal program with full Internet rights."
This will bypass any Firewall settings that may otherwise block the virus from contacting the IRC server is connects to for remote control. The virus installs an HTTP and SMTP proxy server. Traffic to these proxies will be permitted by the modified firewall rules.

[Nick W]

Well, what's sad is that SP2 isn't vulnerable, unless they found a universal offset (it's a heap overflow, so is that even possible?) so adding registry keys to get past a firewall is a bit excessive. Unless they found the offset.