On Fri, 12 Nov 2004, Dennis Davis wrote: | Sophos appear to have just issued an IDE file for this: | | http://www.sophos.com/virusinfo/analyses/w32bofrag.html
But I'm skeptical that's going to recognise the emails generated by the thing. Ours doesn't seen to anyway :-( I suspect this IDE will only have an effect on a compromised windows box. We've seen the emails citing URLs on port 1639,1640 and more recently, port 0 (!) Hence: uri BOF16XX /:16\d\d\// uri BOF0 /:0\// score BOF16XX 666 score BOF0 666 Any Windows gurus know what happens when an application tries opening port 0 ? Does anything actually happen ? I suspect other ports are in use too, but haven't noticed. The next version will no doubt randomize the port. Dodgy emails will simply say: "check this >URL<" at which point email content scanners have next to nothing to go on.
