Re: Worm probes.. Looking for captures.

[Michael Airhart <mairhart () cisco com>]

Folks,

If anyone has a packet capture of the infection in progress, would you 
please contact me.  I would like to get it to the some of the Cisco IOS 
folks ASAP.  (Not my official job, but would like to help.)

Thanks!!

Michael Airhart


At 11:54 AM 9/18/2001 -0400, Eric Gauthier wrote:

> > Concept Virus(CV) V.5, Copyright(C)2001  R.P.China
> > I've nailed a copy, and am working on getting it to the right security
> > people.  A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
> > this one *both* sends itself via-email a la SirCam, *AND* scans for 
> vulnerable
> > web servers, and if it finds a vulnerable server, it causes anybody 
> visiting
> > that webpage to be offered a contaminated .exe as well.
> > I do *NOT* have a handle on what malicious effects it has other than just
> > propagating.
>
> I work at a large university and our security guys think this guy is what's
> been causing us problems all morning.  Lots of subnet scans (tons of
> incomplete arps), CC Mail servers are wacking out, HPOV noting that
> old 3Com gear is dropping etc.  This is what I've heard through the rumor
> mill (so take it with a grain of salt)...
>
> "...At first blush, it spreads itself via by web, email, and maybe shares.
> We've seen it spreading by a set of two HTTP requests.  It will look for
> backdoors left behind by Code Red, such as /scripts/root.exe.  It uses tftp
> to copy itself to the target machine then launches it via a second HTTP
> command."
>
> Eric :)

--------------------------------------------------------------------------------------------------------
Michael Airhart                         512/378-1246 Office
Consulting Systems Engineer                     413/480-1958 eFax
Cisco Systems, Inc.                             800/365-4578 Pager
12515 Research Blvd                             mairhart () cisco com
Austin, TX 78759