Re: SIRCAM WORM?

From: acz [iSecureLabs] (aurelien.cabezonat_private)
Date: Tue Jul 24 2001 - 08:04:14 PDT

Next message: Soeren Ziehe: "Re: code red - some questions"

Previous message: Tony Spurlin: "RE: SIRCAM WORM?"
In reply to: borakovej: "SIRCAM WORM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

here you are :
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A

Cabezon Aurélien
http://www.iSecureLabs.com


----- Original Message -----
From: "borakovej" <borakoveat_private>
To: "Tulchinskiy, Sasha" <STulchinskiyat_private>;
<incidentsat_private>
Sent: Monday, July 23, 2001 10:29 PM
Subject: SIRCAM WORM?


> Has anyone heard of  the SirCam Worm????
> ----- Original Message -----
> From: "Tulchinskiy, Sasha" <STulchinskiyat_private>
> To: <incidentsat_private>
> Sent: Friday, July 20, 2001 6:45 AM
> Subject: RE: CodeRed
>
>
> > BlackICE Agent for Servers reports it to ICECap console as
> > Issue 2002608 "ISAPI extension overflow"
> >
> > Sasha.
> >
> > -----Original Message-----
> > From: Ryan Russell [mailto:ryanat_private]
> > Sent: Thursday, July 19, 2001 5:18 PM
> > To: incidentsat_private
> > Subject: CodeRed
> >
> >
> > Here's a copy of CodeRed, as captured by my elite honeypot:
> >
> > nc -l -p 80 > c:\gotcha
> >
> > It's in a password protected .zip file, password is "worm" without the
> > quotes.  The zip file is only about 2K, so it shouldn't cause undue
stress
> > on anyone's mail server or client.
> >
> > There is a rule available for Snort:
> > http://www.whitehats.com/info/IDS552
> >
> > BlackICE defender spotted this one as "Suspicious URL":
> > 39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
> > st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,
> >
> > And I'm not aware of other IDS' that catch this.  (Though I'd like to be
> > corrected if that's not the case.)
> >
> > Ryan
> >
> >
>
> --------------------------------------------------------------------------
> --
> >
> >
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see:
> >
> > http://aris.securityfocus.com
> >
> >
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Soeren Ziehe: "Re: code red - some questions"
Previous message: Tony Spurlin: "RE: SIRCAM WORM?"
In reply to: borakovej: "SIRCAM WORM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 09:02:40 PDT