Security Incidents mailing list archives
Re: New worm ??
From: Pedro Miller Rabinovitch <pedro () cipher com br>
Date: Tue, 18 Sep 2001 12:32:59 -0300
At 09:51 -0500 18.09.01, Cory McIntire wrote:
I and a few others I know are getting bombard on our machines with IIS requests....looks like another worm, and its much smarter than before, it seems to stay within the same class A and sometimes the same class B as the attacking machine is in. here is an excerpt of what i believe is the full scan....
Same here, and I'd guess, pretty much everywhere. I can feel the connections overloading as we speak.
p.s. Infected machines attempt to get you to download a readme.eml file, that has an .exe embedded. Not sure what is in that file, or if IE will open it automatically, (I'm on linux) , let me know, this one is spreading and resending _alot_ getting hits from the same machines now...2-4 times
I can't confirm the automatic execution, but the eml file was definetly crafted for Outlook. However, I've glazed over the encoded .exe, and it is certainly a copy of the worm (it contains both the javascript and the probe strings, + connect()s and registry functions). Pedro. -- Pedro Miller Rabinovitch Gerente Geral de Tecnologia Cipher Technology 21-2579-3999 www.cipher.com.br _____ "Segurança em TI - uma especialidade Cipher Technology" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New worm ?? Cory McIntire (Sep 18)
- Re: New worm ?? Jay D. Dyson (Sep 18)
- RE: New worm ?? Olivier DEMBOUR (Sep 18)
- Re: New worm ?? Pedro Miller Rabinovitch (Sep 18)