Security Incidents mailing list archives
RE: Concept Virus(CV) V.5 - Advisory and Quick analysis
From: Mark Challender <MarkC () mtbaker wednet edu>
Date: Tue, 18 Sep 2001 10:50:33 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've located some servers that were getting in. I'm trying to compile a list. - -----Original Message----- From: Shaw, Larry [mailto:larry.shaw () digex com] Sent: Tuesday, September 18, 2001 10:45 AM To: 'Mark Challender'; 'Dave Sill'; Olle Segerdahl Cc: incidents () securityfocus com Subject: RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Do we know where it is trying to tftp from? We are currently trying to find this out also ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Larry Shaw Network Security Engineer Work: 240.264.2944 Cell: 301.213.6756 Pager: 877.439.3561 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -----Original Message----- From: Mark Challender [mailto:MarkC () mtbaker wednet edu] Sent: Tuesday, September 18, 2001 12:57 PM To: 'Dave Sill'; Olle Segerdahl Cc: incidents () securityfocus com Subject: RE: Concept Virus(CV) V.5 - Advisory and Quick analysis - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I found an unusual activity this morning. Can't find the TFTP, but did have a readme.eml with a line of script in every index.htm on the web server that called this file. The file appears to call a readme.exe. My firewall was freaked and all internet access was down because of the load. I'm still investigating. One copy of the infected Index and the readme.eml have been saved. - - -----Original Message----- From: Dave Sill [mailto:davids () socket net] Sent: Tuesday, September 18, 2001 7:45 AM To: Olle Segerdahl Cc: incidents () securityfocus com Subject: Re: Concept Virus(CV) V.5 - Advisory and Quick analysis You say that the worm gets a payload by tftp... Is it using port 69? Thanks, Dave Sill Server Admin Socket Internet Services davids () socket net Is the worm On Tuesday 18 September 2001 10:47, you wrote:
Hi all! We've all just been hit by a VERY aggressive worm/virus. Quick analysis indicates that it propagates itself in a number of different ways: Through use of IIS UNICODE direcory traversal coupled with the recent IIS .dll privilege escalation attack. It uses SMB/CIFS and TFTP to get the worm payload. Through MAPI mails (probably to all of addressbook). Other ways of spreading may be possible, but we haven't yet had the time to properly analyse the worm/virus. It seems to share "c:\" via SMB/CIFS as "c$" and the worm/virus also adds the "Guest" user and "Guests" group to the local "Administrators" group.... Interesting strings in binary: Concept Virus(CV) V.5, Copyright(C)2001 R.P.China SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add net More info as we come upon it..... /olle -------------------------------------------------------------------- ------- - This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- - - ---------------------------------------------------------------------- - - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO6d87d5aUxficepaEQIlxQCg5PebpdlkipWa/mcpIIbZoeEBmIUAoIcm fi0grFmQm1VxF1/bQenKn7jz =pwcT - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO6eJaN5aUxficepaEQKivQCg8qWPgt1rHyfGaOlsm4BlSrVFtNkAniAx 1uFOIxCIMJT02KQhalIvsRSv =NzG3 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Concept Virus(CV) V.5 - Advisory and Quick analysis Olle Segerdahl (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
- A suggestion to Concept/Nimda analysts Stuart Staniford (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Brian Pomeroy (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Homer Wilson Smith (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Michael H. Warfield (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Jose Nazario (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Michael H. Warfield (Sep 18)
- <Possible follow-ups>
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Robert Nieuwhof (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Davis, Matt (Sep 19)