It uses TFTP to try to pull the admin.dll file from the 'attacking' system. The default port for TFTP is 69, AFAIK. Regards, Matt -- Matt Davis, MCP Intermediate Client Server Business Support Analyst COUNTRY(SM) Insurance & Financial Services 309-821-6288 mailto:matt.davisat_private >-----Original Message----- >From: Robert Nieuwhof [mailto:RNieuwhofat_private] >Sent: Tuesday, September 18, 2001 4:01 PM >To: 'Dave Sill'; Grady Fox >Cc: incidentsat_private >Subject: RE: Concept Virus(CV) V.5 - Advisory and Quick analysis > > >Have you indeed confirmed that the worm utilizes port 69? If >so, how was >this confirmed and will you please share the criteria and >results of your >confirmational testing? > >Thanks, >Robert J. Nieuwhof, CNA, MCP >mailto:Rnieuwhofat_private >Network Engineer >NOS Communications - Information Services > >http://www.nos.com > >Madness takes its toll. Please have exact change. > >The information contained in this correspondence is confidential and >intended for the use of the individual or entity named above. >Unauthorized >distribution is prohibited. Any and all opinions expressed, are the >opinions of the author of this e-mail, and in no way reflect >or imply the >opinions of NOS Communications. > > >-----Original Message----- >From: Dave Sill [mailto:davidsat_private] >Sent: Tuesday, September 18, 2001 11:13 AM >To: Grady Fox >Cc: incidentsat_private >Subject: Re: Concept Virus(CV) V.5 - Advisory and Quick analysis > > >We've blocked 69/udp at our internal and border routers both >incoming and >outgoing. Be careful with your private networks. Our tech support >department contracted this bug by opening a web page of an >infected customer > >in response to a complaint about performance. > >Dave Sill >Server Admin >Socket Internet Services >davidsat_private > >On Tuesday 18 September 2001 15:10, you wrote: >> YES >> >> --- Dave Sill <davidsat_private> wrote: >> > You say that the worm gets a payload by tftp... Is >> > it using port 69? >> > >> > Thanks, >> > >> > Dave Sill >> > Server Admin >> > Socket Internet Services >> > davidsat_private >> > >> > Is the worm >> > >> > On Tuesday 18 September 2001 10:47, you wrote: >> > > Hi all! >> > > >> > > >> > > We've all just been hit by a VERY aggressive >> > >> > worm/virus. >> > >> > > Quick analysis indicates that it propagates itself >> > >> > in >> > >> > > a number of different ways: >> > > >> > > Through use of IIS UNICODE direcory traversal >> > >> > coupled >> > >> > > with the recent IIS .dll privilege escalation >> > >> > attack. >> > >> > > It uses SMB/CIFS and TFTP to get the worm payload. >> > > >> > > Through MAPI mails (probably to all of >> > >> > addressbook). >> > >> > > Other ways of spreading may be possible, but we >> > >> > haven't >> > >> > > yet had the time to properly analyse the >> > >> > worm/virus. >> > >> > > It seems to share "c:\" via SMB/CIFS as "c$" and >> > > the worm/virus also adds the "Guest" user and >> > >> > "Guests" >> > >> > > group to the local "Administrators" group.... >> > > >> > > >> > > Interesting strings in binary: >> > > >> > > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China >> >> SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security >> >> > > share c$=c:\ >> > > user guest "" >> > > localgroup Administrators guest /add >> > > localgroup Guests guest /add >> > > user guest /active >> > > open >> > > user guest /add >> > > net >> > > >> > > >> > > More info as we come upon it..... >> > > >> > > /olle >> >> >--------------------------------------------------------------- >------------ >> >> > >- This list is provided by the SecurityFocus ARIS >> > >> > analyzer service. >> > >> > > For more information on this free incident >> > >> > handling, management >> > >> > > and tracking system please see: >> > >> > http://aris.securityfocus.com >> >> >--------------------------------------------------------------- >------------ >>- >> >> > This list is provided by the SecurityFocus ARIS >> > analyzer service. >> > For more information on this free incident handling, >> > management >> > and tracking system please see: >> > http://aris.securityfocus.com >> >> __________________________________________________ >> Terrorist Attacks on U.S. - How can you help? >> Donate cash, emergency relief information >> http://dailynews.yahoo.com/fc/US/Emergency_Information/ > >--------------------------------------------------------------- >------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > > >[INFO] -- Virus Manager: >This email message and any attachments have been scanned for >viruses and are >believed to be free of any virus. > > >This email, including any attached files, is confidential and >is for the sole use of the individual or entity for whom it is >intended. This email represents the originator's personal >views and opinions, which do not necessarily reflect those of >this Company. If you are not the intended recipient of this >email, be advised that you have received this email in error. >Any use, dissemination, forwarding, printing, or copying of >this email is strictly prohibited and may be subject to legal >sanction. If you have received this email in error, please >immediately notify postmasterat_private . > >This email and any attachments have been scanned for viruses >and are believed to be free of any virus or defect that might >affect any computer system into which it is received. >However, it is the responsibility of the recipient to ensure >that it is virus free and no responsibility or liability is >accepted by this Company for loss or damage arising from its use. > > > > > >--------------------------------------------------------------- >------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 08:41:06 PDT