At 09:51 -0500 18.09.01, Cory McIntire wrote: >I and a few others I know are getting bombard on our machines with IIS >requests....looks like another worm, and its much smarter than before, it >seems to stay within the same class A and sometimes the same class B as the >attacking machine is in. here is an excerpt of what i believe is the full >scan.... Same here, and I'd guess, pretty much everywhere. I can feel the connections overloading as we speak. >p.s. Infected machines attempt to get you to download a readme.eml file, that >has an .exe embedded. Not sure what is in that file, or if IE will open it >automatically, (I'm on linux) , let me know, this one is spreading and >resending _alot_ getting hits from the same machines now...2-4 times I can't confirm the automatic execution, but the eml file was definetly crafted for Outlook. However, I've glazed over the encoded .exe, and it is certainly a copy of the worm (it contains both the javascript and the probe strings, + connect()s and registry functions). Pedro. -- Pedro Miller Rabinovitch Gerente Geral de Tecnologia Cipher Technology 21-2579-3999 www.cipher.com.br _____ "Segurança em TI - uma especialidade Cipher Technology" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:43:15 PDT