Re: SIRCAM WORM?

From: acz [iSecureLabs] (aurelien.cabezonat_private)
Date: Tue Jul 24 2001 - 08:04:14 PDT

  • Next message: Soeren Ziehe: "Re: code red - some questions"

    here you are :
    http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A
    
    Cabezon Aurélien
    http://www.iSecureLabs.com
    
    
    ----- Original Message -----
    From: "borakovej" <borakoveat_private>
    To: "Tulchinskiy, Sasha" <STulchinskiyat_private>;
    <incidentsat_private>
    Sent: Monday, July 23, 2001 10:29 PM
    Subject: SIRCAM WORM?
    
    
    > Has anyone heard of  the SirCam Worm????
    > ----- Original Message -----
    > From: "Tulchinskiy, Sasha" <STulchinskiyat_private>
    > To: <incidentsat_private>
    > Sent: Friday, July 20, 2001 6:45 AM
    > Subject: RE: CodeRed
    >
    >
    > > BlackICE Agent for Servers reports it to ICECap console as
    > > Issue 2002608 "ISAPI extension overflow"
    > >
    > > Sasha.
    > >
    > > -----Original Message-----
    > > From: Ryan Russell [mailto:ryanat_private]
    > > Sent: Thursday, July 19, 2001 5:18 PM
    > > To: incidentsat_private
    > > Subject: CodeRed
    > >
    > >
    > > Here's a copy of CodeRed, as captured by my elite honeypot:
    > >
    > > nc -l -p 80 > c:\gotcha
    > >
    > > It's in a password protected .zip file, password is "worm" without the
    > > quotes.  The zip file is only about 2K, so it shouldn't cause undue
    stress
    > > on anyone's mail server or client.
    > >
    > > There is a rule available for Snort:
    > > http://www.whitehats.com/info/IDS552
    > >
    > > BlackICE defender spotted this one as "Suspicious URL":
    > > 39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
    > > st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,
    > >
    > > And I'm not aware of other IDS' that catch this.  (Though I'd like to be
    > > corrected if that's not the case.)
    > >
    > > Ryan
    > >
    > >
    >
    > --------------------------------------------------------------------------
    > --
    > >
    > >
    > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see:
    > >
    > > http://aris.securityfocus.com
    > >
    > >
    >
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 09:02:40 PDT