Educause Security Discussion mailing list archives
Re: info on the new worm ?
From: "Crawford, Charles D" <ccrawf () KU EDU>
Date: Tue, 17 Dec 2002 09:47:27 -0600
Here is what we have found out: It's a new worm that attacks Win2k and WinXP machines via TCP port 445. (Apparently) it establishes a null session via an unauthenticated system share -- IPC$, maybe others --- that allows it to get a list of users and groups. Then it makes a brute force password attack on those accounts, trying each of some 16 passwords in its little dictionary. When it succeeds in logging in it copies its code to the System32 folder as file iraq_oil.exe, sets it to run via Task Scheduler, launches about 100 threads generating random IPs and goes looking for other victims. Reports are that this can make a network very very busy. Lioten's Password Dictionary server !@#$%^&* !@#$%^& !@#$%^ !@#$% asdfgh asdf !@#$ 1 654321 123456 1234 123 111 root admin Charles Crawford University of Kansas IT Security Officer (785)864-0491 ccrawf () ku edu -----Original Message----- From: Jim Moore [mailto:jhmfa () CIS RIT EDU] Sent: Tuesday, December 17, 2002 9:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] info on the new worm ? I haven't seen much info on the new worm circulating except for this. - - - - Begin Included message - - - - All, Over the weekend we detected and completed analysis of what appears to be a new Internet worm which we're calling IraqiWorm. This worm utilizes Windows Null Sessions against Windows 2000 and XP systems to enumerate user account names and group memberships..then it launches a simple brute force dictionary attack against all discovered user names. We suspect the number of infected hosts is already in the thousands, and expect many more infections as there are many hosts poorly secured against this type of mechanized attack. Full details are here: http://www.mynetwatchman.com/kb/security/articles/iraqiworm/index.htm Regards, Lawrence Baldwin Chief Forensics Officer myNetWatchman.com Atlanta, GA +1.678.624.0924 - - - End included message - - - -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- info on the new worm ? Jim Moore (Dec 17)
- <Possible follow-ups>
- Re: info on the new worm ? Crawford, Charles D (Dec 17)
- Re: info on the new worm ? Gate (Dec 17)