Concept Virus(CV) V.5 - Advisory and Quick analysis

[Olle Segerdahl <olle () defcom com>]

Hi all!


We've all just been hit by a VERY aggressive worm/virus.

Quick analysis indicates that it propagates itself in
a number of different ways:

Through use of IIS UNICODE direcory traversal coupled
with the recent IIS .dll privilege escalation attack.
It uses SMB/CIFS and TFTP to get the worm payload.

Through MAPI mails (probably to all of addressbook).

Other ways of spreading may be possible, but we haven't 
yet had the time to properly analyse the worm/virus.

It seems to share "c:\" via SMB/CIFS as "c$" and
the worm/virus also adds the "Guest" user and "Guests"
group to the local "Administrators" group....


Interesting strings in binary:

Concept Virus(CV) V.5, Copyright(C)2001  R.P.China

SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
net


More info as we come upon it.....

/olle

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com