Security Incidents mailing list archives
Concept Virus(CV) V.5 - Advisory and Quick analysis
From: Olle Segerdahl <olle () defcom com>
Date: Tue, 18 Sep 2001 16:47:00 +0200
Hi all! We've all just been hit by a VERY aggressive worm/virus. Quick analysis indicates that it propagates itself in a number of different ways: Through use of IIS UNICODE direcory traversal coupled with the recent IIS .dll privilege escalation attack. It uses SMB/CIFS and TFTP to get the worm payload. Through MAPI mails (probably to all of addressbook). Other ways of spreading may be possible, but we haven't yet had the time to properly analyse the worm/virus. It seems to share "c:\" via SMB/CIFS as "c$" and the worm/virus also adds the "Guest" user and "Guests" group to the local "Administrators" group.... Interesting strings in binary: Concept Virus(CV) V.5, Copyright(C)2001 R.P.China SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add net More info as we come upon it..... /olle ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Concept Virus(CV) V.5 - Advisory and Quick analysis Olle Segerdahl (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
- A suggestion to Concept/Nimda analysts Stuart Staniford (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Brian Pomeroy (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Homer Wilson Smith (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Michael H. Warfield (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Jose Nazario (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Michael H. Warfield (Sep 18)
- <Possible follow-ups>
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)