Security Incidents mailing list archives

Re: Concept Virus(CV) V.5 - Advisory and Quick analysis

From: Dave Sill <davids () socket net>
Date: Tue, 18 Sep 2001 14:13:00 -0400

We've blocked 69/udp at our internal and border routers both incoming and 
outgoing.  Be careful with your private networks.  Our tech support 
department contracted this bug by opening a web page of an infected customer 
in response to a complaint about performance.

Dave Sill
Server Admin
Socket Internet Services
davids () socket net

On Tuesday 18 September 2001 15:10, you wrote:

YES

--- Dave Sill <davids () socket net> wrote:

You say that the worm gets a payload by tftp...  Is
it using port 69?

Thanks,

Dave Sill
Server Admin
Socket Internet Services
davids () socket net

Is the worm

On Tuesday 18 September 2001 10:47, you wrote:

Hi all!


We've all just been hit by a VERY aggressive


worm/virus.

Quick analysis indicates that it propagates itself

in

a number of different ways:

Through use of IIS UNICODE direcory traversal


coupled

with the recent IIS .dll privilege escalation


attack.

It uses SMB/CIFS and TFTP to get the worm payload.

Through MAPI mails (probably to all of


addressbook).

Other ways of spreading may be possible, but we


haven't

yet had the time to properly analyse the


worm/virus.

It seems to share "c:\" via SMB/CIFS as "c$" and
the worm/virus also adds the "Guest" user and


"Guests"

group to the local "Administrators" group....


Interesting strings in binary:

Concept Virus(CV) V.5, Copyright(C)2001  R.P.China


SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security

share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
net


More info as we come upon it.....

/olle


---------------------------------------------------------------------------

- This list is provided by the SecurityFocus ARIS


analyzer service.

For more information on this free incident


handling, management

and tracking system please see:


http://aris.securityfocus.com


---------------------------------------------------------------------------
-

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management
and tracking system please see:
http://aris.securityfocus.com


__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Concept Virus(CV) V.5 - Advisory and Quick analysis, (continued)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
  - A suggestion to Concept/Nimda analysts Stuart Staniford (Sep 18)
  - Re: Concept Virus(CV) V.5 - Quick analysis update Brian Pomeroy (Sep 18)
    - Re: Concept Virus(CV) V.5 - Quick analysis update Homer Wilson Smith (Sep 18)
    - Re: Concept Virus(CV) V.5 - Quick analysis update Michael H. Warfield (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Jose Nazario (Sep 18)
  - Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Michael H. Warfield (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Robert Nieuwhof (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Davis, Matt (Sep 19)