Hi all! We've all just been hit by a VERY aggressive worm/virus. Quick analysis indicates that it propagates itself in a number of different ways: Through use of IIS UNICODE direcory traversal coupled with the recent IIS .dll privilege escalation attack. It uses SMB/CIFS and TFTP to get the worm payload. Through MAPI mails (probably to all of addressbook). Other ways of spreading may be possible, but we haven't yet had the time to properly analyse the worm/virus. It seems to share "c:\" via SMB/CIFS as "c$" and the worm/virus also adds the "Guest" user and "Guests" group to the local "Administrators" group.... Interesting strings in binary: Concept Virus(CV) V.5, Copyright(C)2001 R.P.China SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add net More info as we come upon it..... /olle ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:27:28 PDT