nanog mailing list archives

Re: Worm probes

From: Valdis.Kletnieks () vt edu
Date: Tue, 18 Sep 2001 11:29:53 -0400

On Tue, 18 Sep 2001 10:22:06 CDT, Bryan Heitman <bryanh () communitech net>  said:


We're also seeing a large increase in this activity.  This seems to be more
severe than the first time.  Have an additional 30 to 40 meg inbound from
this.


This seems to be the culprit:

Concept Virus(CV) V.5, Copyright(C)2001  R.P.China

I've nailed a copy, and am working on getting it to the right security
people.  A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable
web servers, and if it finds a vulnerable server, it causes anybody visiting
that webpage to be offered a contaminated .exe as well.

I do *NOT* have a handle on what malicious effects it has other than just
propagating.

This one's nasty, folks...

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

Worm probes sigma (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
  - Re: Worm probes deeann mikula (Sep 18)
    - Re: Worm probes up (Sep 18)
    - Re: Worm probes Bryan Heitman (Sep 18)
    - Re: Worm probes Valdis . Kletnieks (Sep 18)
    - Re: Worm probes Eric Gauthier (Sep 18)
    - Re: Worm probes.. Looking for captures. Michael Airhart (Sep 18)
    - Re: Worm probes Chris Grout (Sep 18)
    - Re: Worm probes ravi pina (Sep 18)
    - RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
    - RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
    - RE: Worm probes Tim Winders (Sep 18)
    - Re: Worm probes Jared Mauch (Sep 18)
    - Re: Worm probes Bill Larson (Sep 18)
    - Re: Worm probes Christopher X. Candreva (Sep 18)

(Thread continues...)