Re: Concept Virus(CV) V.5 - Quick analysis update

From: Homer Wilson Smith (homerat_private)
Date: Tue Sep 18 2001 - 17:05:50 PDT

  • Next message: Chris Arnold: "RE: New worm segfaults apache" 

        If any one has the proper entries in the apache 1.3.20
config file to block the gets to Admin.dll, root.exe and cmd.exe,
I would appreciate knowing about them.  Been playing with
<FilesMatch> and <DirectoryMatch> but they only seem to work
IF the directory path actually exists on the machine.

    We are being swamped here.

    Homer

------------------------------------------------------------------------
Homer Wilson Smith   Clean Air, Clear Water,  Art Matrix - Lightlink
(607) 277-0959       A Green Earth and Peace. Internet Access, Ithaca NY
homerat_private  Is that too much to ask? http://www.lightlink.com

On Tue, 18 Sep 2001, Brian Pomeroy wrote:

> This morning I received an e-mail with the subject line "elvis presley -
> amazing grace" from asportalat_private and containing an attachment
> named read.exe.  I am suspecting this could be related.
>
> Brian Pomeroy
> e-Transformation/e-Medicine Center
> The Children's Hospital of Philadelphia
> Philadelphia, PA USA
> http://www.chop.edu/
> pomeroyat_private || lunarat_private
>
>
>
> ----- Original Message -----
> From: "Olle Segerdahl" <olleat_private>
> To: <bugtraqat_private>; <incidentsat_private>
> Sent: Tuesday, September 18, 2001 11:58 AM
> Subject: Concept Virus(CV) V.5 - Quick analysis update
>
>
> >
> > More infectation routes:
> >
> > The worm, upon infecting a new host, goes through all the
> > shared directories and their subdirecories and plants the
> > following files in each dir:
> >
> > sample.nws
> > sample.eml
> > desktop.eml
> > desktop.nws
> >
> > which are eml messages with copies of itself ("readme.exe")
> > autoloaded by a html script tag,
> >
> > riched20.dll
> >
> > which is a trojan dll version of itself probably designed
> > to infect people running notepad/wordpad in that dir.
> >
> >
> > It also infects htm/html/asp files all over the system with
> > a <SCRIPT> tag appendage that links to a readme.eml file in
> > the current directory, thus infecting more webservers and
> > even windows helpsystem and the IE "freindly" error messages.
> >
> > The worm puts a trojan mmc.exe in the winnt directory that
> > is a copy of itself in the above "readme.exe" format.....
> >
> > So in short: This thing spreads vi fileserver shares and
> > also infects all web content files it sees, it's EVIL.
> >
> > /olle
> >
> > --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> >
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 18:39:36 PDT