RE: New Worm ?

From: Mark Challender (MarkCat_private)
Date: Tue Sep 18 2001 - 10:15:49 PDT

Next message: Andreas Wiesmann: "Re: New Worm ?"

Previous message: Rowe, Eric: "mep*"
Maybe in reply to: Cory McIntire: "New Worm ?"
Next in thread: Andreas Wiesmann: "Re: New Worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This worm is attacking fully patched servers.  I have made it through
Code Red without any problems and this morning had this worm on a
server.

The only thing I can think of that may have made this machine
vulnerable is that I did the Post SP6A rollup and did not re-apply
the IIS Fix cumulative patch.  I have done that now.

items that were placed on the server include:

root.exe
readme.eml
a line of javascript in index.htm calling readme.exe.

Fixes so far have been:

remove *.eml
remove root.exe
delete java script line at end of Index.htm (all 321 of those files)

- -----Original Message-----
From: Cory McIntire [mailto:coryat_private]
Sent: Tuesday, September 18, 2001 8:17 AM
To: forensicsat_private
Subject: Re: New Worm ?


I might also add, infected machines attempt a download of a
readme.eml which 
extracts to an .exe and starts in windows media player..

Tuesday 18 September 2001 09:43 am, you put enough 0's and 1's
together to 
make the following:
> Hello,
> I and a few others I know are getting bombard on our machines with
> IIS requests....looks like another worm, and its much smarter than
> before, it seems to stay within the same class A and sometimes the
> same class B as the attacking machine is in. here is an excerpt of
> what i believe is the full scan....
<snip>
>
> just thought I would let you guys know...this one looks bad
> fella.....thank god for apache.....that is of course, if there isnt
> a huge bog down on the net....=[
>
> cory
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

- -----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO6eBQ95aUxficepaEQKNFQCggivo+xDNYtGeoudeN1Zc7Ges6yIAoLQ4
mUPWUgqhRkgw8QAwCm+KOJsl
=qsft
-----END PGP SIGNATURE-----

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Andreas Wiesmann: "Re: New Worm ?"
Previous message: Rowe, Eric: "mep*"
Maybe in reply to: Cory McIntire: "New Worm ?"
Next in thread: Andreas Wiesmann: "Re: New Worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 14:35:56 PDT