Re: New worm ??

[Pedro Miller Rabinovitch <pedro () cipher com br>]

At 09:51 -0500 18.09.01, Cory McIntire wrote:
> I and a few others I know are getting bombard on our machines with IIS
> requests....looks like another worm, and its much smarter than before, it
> seems to stay within the same class A and sometimes the same class B as the
> attacking machine is in. here is an excerpt of what i believe is the full
> scan....

Same here, and I'd guess, pretty much everywhere. I can feel the
connections overloading as we speak.

> p.s. Infected machines attempt to get you to download a readme.eml file, that
> has an .exe embedded. Not sure what is in that file, or if IE will open it
> automatically, (I'm on linux) , let me know, this one is spreading and
> resending _alot_ getting hits from the same machines now...2-4 times

I can't confirm the automatic execution, but the eml file was
definetly crafted for Outlook. However, I've glazed over the encoded
.exe, and it is certainly a copy of the worm (it contains both the
javascript and the probe strings, + connect()s and registry
functions).

        Pedro.
--
Pedro Miller Rabinovitch
Gerente Geral de Tecnologia
Cipher Technology
21-2579-3999
www.cipher.com.br

_____
"Segurança em TI - uma especialidade Cipher Technology"

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com