nanog mailing list archives

RE: Worm probes

From: "Eric Germann" <ekgermann () cctec com>
Date: Tue, 18 Sep 2001 19:57:28 -0400


We found the following on an infected server also:

For each share on the server, it generates a .eml file and puts it in the
root of the share.  It then creates a index.asp, index.htm, default.asp and
default.htm on the root of the share which points to and downloads the .eml
file from the root of the share.  Neat thing is, anyone with Active Desktop
(View my Desktop as a Web Page) enabled is going to get it, presumably.
Simply by browsing the shared directory.  It looks like it morphs the .eml
file names to.  Not all are "readme.eml", althought they all are ~ 79K in
size.

Happy disinfecting.  My customer on the end of a 56K FR link was fsck'd this
afternoon.  Welcome to IT during the first war fo the 21st century ...

Eric


==========================================================================
  Eric Germann                                        CCTec
  ekgermann () cctec com                                 Van Wert OH 45801
  http://www.cctec.com                                Ph:  419 968 2640
                                                      Fax: 603 825 5893

"It is so easy to miss pretty trivial solutions to problems deemed
complicated.  The goal of a scientist is to find an interesting problem,
and live off it for a while.  The goal of an engineer is to evade
interesting problems :)"  -- Vadim Antonov <avg () kotovnik com> on NANOG

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Valdis.Kletnieks () vt edu
Sent: Tuesday, September 18, 2001 2:34 PM
To: sigma () pair com
Cc: nanog () merit edu
Subject: Re: Worm probes


On Tue, 18 Sep 2001 13:36:48 EDT, sigma () pair com  said:

Along those lines, weren't there some projects last time around

to find and

clean up the affected machines?  Clearly there are LOTS of vulnerable NT
servers still out there.  Presumably these are being responded

to just like

This also has an e-mail vector and a web DOWNLOAD vector.

There may be lots of vulnerable NT servers, but there's a lot MORE copies
of Outlook and Internet Explorer out there.

Think SirCam *AND* CodeRed *AND* the infect-a-surfer vector....
--
                              Valdis Kletnieks
                              Operating Systems Analyst
                              Virginia Tech

Attachment: Eric Germann.vcf
Description:

Current thread:

Re: Worm probes, (continued)
- - - Re: Worm probes ravi pina (Sep 18)
    - RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
    - RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
    - RE: Worm probes Tim Winders (Sep 18)
    - Re: Worm probes Jared Mauch (Sep 18)
    - Re: Worm probes Bill Larson (Sep 18)
    - Re: Worm probes Christopher X. Candreva (Sep 18)
    - Re: Worm probes Bill Larson (Sep 18)
    - Re: Worm probes sigma (Sep 18)
    - Re: Worm probes Valdis . Kletnieks (Sep 18)
    - RE: Worm probes Eric Germann (Sep 18)
    - Re: Worm probes Ulf Zimmermann (Sep 18)
    - Re: Worm probes k claffy (Sep 18)
    - Re: Worm probes Joe Abley (Sep 18)
- Re: Worm probes Daniel Senie (Sep 18)
- Re: Worm probes Hermann Wecke (Sep 18)
- Re: Worm probes Joseph McDonald (Sep 18)
  - Re: Worm probes Daniel Senie (Sep 18)
  - Re: Worm probes Iljitsch van Beijnum (Sep 18)
    - Re: Worm probes M. David Leonard (Sep 19)
    - Re: Worm probes Brett Frankenberger (Sep 19)

(Thread continues...)