Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CME-24 aka blackworm update

Published: 2006-02-04
Last Updated: 2006-02-04 18:54:18 UTC
by donald smith (Version: 1)
0 comment(s)
The numbers of infected emails have dropped off some
but we are still getting reports of CME-24 infected emails
being blocked inbound from several sources so the infection continues.

We are also getting a few reports of loss data due the malicious payload.

Many people have commented on the high counts of reported CME-24 in Puru and India.
One possible explanation comes from the way the worm updates the counter.
The worm hits its counter every time it starts up. Such as when a computer is rebooted.

So countries would have a higher hit count if they had
Older compters that require fequent rebooting.
dynamic IPs with a high rate of change
Systems that charge by the hour for connections (internet cafe')
Keywords:
0 comment(s)
Diary Archives