FC: More on voracious, nasty new "Code Red"-esque worm

[Declan McCullagh <declan () well com>]

We have an article by Michelle Delio here:
http://www.wired.com/news/technology/0,1282,46944,00.html

**********

From: "Magdalena Donea" <maggy () kia net>
To: <declan () well com>
Subject: RE: Voracious, nasty new "Code Red" worm may be spreading quickly
Date: Tue, 18 Sep 2001 15:57:16 -0400
In-Reply-To: <5.0.2.1.0.20010918114801.01ff1040 () mail well com>

Declan,

The best description of namda I've seen so far is here:
http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert

Yes, only Windows systems are affected, but this time this includes Windows
desktops, servers, etc., whether running IIS or not (unlike Code Red).
Viewing a page from an infected IIS server may be enough to infect a desktop
system, because of the applet the virus launches. The "swiss army knife"
analogy in the article above is really good. Of course, regardless of O/S
brand you use, the collateral damage is still high, in terms of the high
level of traffic this thing is producing.

Among all our client servers, the earliest instance of a hit came at 6:10am
EDT today from Belgium:

XXXX.uunet.be - - [18/Sep/2001:06:10:53 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.
exe?/c+dir%20c:\ HTTP/1.0" 404 2550 "-" "Mozilla/4.0 (compatible; MSIE 5.5;
Windows NT 5.0)"

... thought I'd pass it on, hope it's useful.

--Maggy
          _________________________

          KIA.NET Technical Support
          help () kia net
          _________________________


**********

To: declan () well com
Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly
From: pb () e-scribe com (Paul Bissex)
Date: Tue, 18 Sep 2001 16:19:18 -0400

A few URLs on this worm ("Nimda"):

  http://www.newsbytes.com/news/01/170225.html

  http://www.sarc.com/avcenter/venc/data/w32.nimda.a () mm html

  http://slashdot.org/articles/01/09/18/151203.shtml

Newsbytes calls it "Code Rainbow," but I don't see anybody else using
that name.

Apparently the 16 holes it attempts to exploit are all well-known, and
anybody with a properly patched IIS should be fine. (However, I Am Not
A Security Expert.)

best

pb

**********

Date: Tue, 18 Sep 2001 15:54:10 -0400
From: Ken Deutsch <deutsch () idi net>
To: declan () well com
Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly

Declan McCullagh wrote:

> [BTW I'm seeing similar attempts on Politech's website. Remember, folks, 
> Code Red and its progeny only infect Windows systems. --Declan]


Declan -

While it only "infects" Windows systems, unlike code red this one is having 
an impact on other systems. Rather then a couple of accesses to a site - 
the speed of accesses to servers is much greater. We run web servers on Sun 
with Apache and have had over 50 sites being attacked since 9:06 am with 
tens of thousands of hits looking for files that only exist on unpatched NT 
servers.  I concur with the message below that the accesses come at a 
ferocious rate.


       - Ken

**********

From: "Glen L. Roberts" <glr () glr com>
To: <declan () well com>
Subject: Re: Voracious, nasty new "Code Red" worm may be spreading quickly
Date: Tue, 18 Sep 2001 15:55:21 -0400

So far, I've seen 15,000+ hits in my apache logs files for accesses to .exe
files (no normal traffic would request a .exe file)... that is definitely
much heavier traffic than code red had.

**********

Date: Tue, 18 Sep 2001 20:53:12 +0100
To: declan () well com
From: John Sullivan <lists () benzo8 org>
Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading
  quickly

At 04:48 PM 18/09/2001, you wrote:
> [BTW I'm seeing similar attempts on Politech's website. Remember, folks, 
> Code Red and its progeny only infect Windows systems. --Declan]

> Here's a snippet from the Apache error log; this appears to constitute
> the signature of this worm:
>
> A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /scripts/root.exe?/c+dir 
> HTTP/1.0" 404 270

> So far, all hits have come in groups of 16 and appear to be directed at
> exploiting a vulnerability that's presumably found on Windows systems
> running IIS.  They also *seem* to be largely localized, that is, the
> IP addresses of the incoming probes are related to the IP addresses of
> the systems being targeted.

Declan,

Looking at this log except, what the new worm is attempting to do is 
contact the backdoor left by CodeRed II. This, of course, doesn't imply 
that the same author wrote both viruses - it was a fairly well publicised 
backdoor after all - but it's interesting (from an academic point of view) 
that this virus takes a leg-up from a previous infection.

This does, for course, mean that this virus not only only affects Windows 
systems as you said, but also only affects Windows systems previous 
infected by CodeRed II.

**********

From: "Glen L. Roberts" <glr () glr com>
To: <declan () well com>
References: <5.0.2.1.0.20010918114801.01ff1040 () mail well com>
Subject: Re: Voracious, nasty new "Code Red" worm may be spreading quickly
Date: Tue, 18 Sep 2001 16:03:39 -0400
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal

You don't suppose it's smart enough to follow a redirect, ie:
in .htaccess

redirect /scripts http://www.microsoft.com
redirect /c http://www.microsoft.com
redirect /d http://www.microsoft.com
redirect /MSACD http://www.microsoft.com
redirect /msacd http://www.microsoft.com

**********




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------