-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I found an unusual activity this morning. Can't find the TFTP, but did have a readme.eml with a line of script in every index.htm on the web server that called this file. The file appears to call a readme.exe. My firewall was freaked and all internet access was down because of the load. I'm still investigating. One copy of the infected Index and the readme.eml have been saved. - -----Original Message----- From: Dave Sill [mailto:davidsat_private] Sent: Tuesday, September 18, 2001 7:45 AM To: Olle Segerdahl Cc: incidentsat_private Subject: Re: Concept Virus(CV) V.5 - Advisory and Quick analysis You say that the worm gets a payload by tftp... Is it using port 69? Thanks, Dave Sill Server Admin Socket Internet Services davidsat_private Is the worm On Tuesday 18 September 2001 10:47, you wrote: > Hi all! > > > We've all just been hit by a VERY aggressive worm/virus. > > Quick analysis indicates that it propagates itself in > a number of different ways: > > Through use of IIS UNICODE direcory traversal coupled > with the recent IIS .dll privilege escalation attack. > It uses SMB/CIFS and TFTP to get the worm payload. > > Through MAPI mails (probably to all of addressbook). > > Other ways of spreading may be possible, but we haven't > yet had the time to properly analyse the worm/virus. > > It seems to share "c:\" via SMB/CIFS as "c$" and > the worm/virus also adds the "Guest" user and "Guests" > group to the local "Administrators" group.... > > > Interesting strings in binary: > > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China > > SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security > share c$=c:\ > user guest "" > localgroup Administrators guest /add > localgroup Guests guest /add > user guest /active > open > user guest /add > net > > > More info as we come upon it..... > > /olle > > -------------------------------------------------------------------- > ------- >- This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO6d87d5aUxficepaEQIlxQCg5PebpdlkipWa/mcpIIbZoeEBmIUAoIcm fi0grFmQm1VxF1/bQenKn7jz =pwcT -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:22:44 PDT