Security Incidents mailing list archives

Side Affect of the new worm: HD fills up

From: "Stanley G. Bubrouski" <stan () ccs neu edu>
Date: Wed, 19 Sep 2001 15:29:34 -0400 (EDT)

While examining the results of this worm I noticed the following on
SEVERAL infected systems:

Files on the C drive:

<SNIP>
09/18/2001  01:45p              57,344 TFTP1012
09/18/2001  01:46p              57,344 TFTP19064
09/18/2001  01:46p              57,344 TFTP19248
09/18/2001  01:48p              57,344 TFTP19068
09/18/2001  01:49p              57,344 TFTP19288
09/18/2001  01:51p              57,344 TFTP19608
09/18/2001  01:52p              57,344 TFTP19564
09/18/2001  01:56p              57,344 TFTP19476
09/18/2001  01:55p              57,344 TFTP19900
09/18/2001  01:55p              57,344 TFTP19440
09/18/2001  01:56p              57,344 TFTP19868
09/18/2001  02:00p              57,344 TFTP19956
09/18/2001  02:02p              57,344 TFTP20028
09/18/2001  02:00p              57,344 TFTP20064
09/18/2001  02:01p              57,344 TFTP20096
09/18/2001  02:01p              57,344 TFTP20136
09/18/2001  02:04p              57,344 TFTP20204
09/18/2001  02:02p              57,344 TFTP20076
09/18/2001  02:01p              57,344 TFTP20304
09/18/2001  02:02p              57,344 TFTP20292
09/18/2001  02:02p              57,344 TFTP20328
09/18/2001  02:06p              57,344 TFTP20280
09/18/2001  02:03p              57,344 TFTP20248
09/18/2001  02:07p              52,736 TFTP20316
<SNIP>

I'm seeing some machines with literally thousands and thousands of these
files filling up their HDs.  Besides in the root director I'm seeing
people with them in the scripts directory as well.  Another thing
interesting to note, but not surprising, is that a lot of the hosts I'm
seeing infected with this new worm are machiens that still have teh Code
Red II trojans sitting on them.  This could really cause some headaches.

Regards,

Stan

--
Stan Bubrouski                                       stan () ccs neu edu
23 Westmoreland Road, Hingham, MA 02043        Cell:   (617) 835-3284




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: New "concept" virus/worm?, (continued)
- Re: New "concept" virus/worm? Jay D. Dyson (Sep 18)
  - Re: New "concept" virus/worm? Brett Glass (Sep 18)
    - Re: New "concept" virus/worm? Berislav Kucan (Sep 18)
    - Re: New "concept" virus/worm? Jim Olsen (Sep 18)
    - Re: New "concept" virus/worm? Bernie Cosell (Sep 18)
    - MIME type of readme.eml (was Re: New "concept" virus/worm? Rob Quinn (Sep 19)
    - Re: MIME type of readme.eml (was Re: New "concept" virus/worm? Henrik Pedersen (Sep 19)
    - Re: New "concept" virus/worm? Ryan Russell (Sep 18)
    - Re: New "concept" virus/worm? Nick FitzGerald (Sep 18)
    - Re: New "concept" virus/worm? Jim (Sep 18)
    - Side Affect of the new worm: HD fills up Stanley G. Bubrouski (Sep 19)
    - Re: New "concept" virus/worm? Michael H. Warfield (Sep 18)
  - Re: New "concept" virus/worm? Dan Jones (Sep 18)
  - RE: New "concept" virus/worm? Guillaume TARRARE (Sep 18)
    - RE: New "concept" virus/worm? Joseph P Frazee (Sep 18)
  - RE: New "concept" virus/worm? Ronny Vaningh (Sep 18)
- RE: New "concept" virus/worm? Christian Hampson (Sep 18)
  - RE: New "concept" virus/worm? Tina Bird (Sep 18)
- RE: New "concept" virus/worm? Peter Mueller (Sep 18)
- RE: New "concept" virus/worm? Tom Smit (Sep 18)