Probably this.... ======================== Virus Name Risk Assessment W32/Nachi.worm Corporate User : Medium Home User : Medium Virus Information Discovery Date: 08/18/2003 Origin: Unknown Length: 10,240 bytes (UPXed) Type: Virus SubType: Internet Worm Minimum DAT: Release Date: 4286 08/18/2003 Minimum Engine: 4.1.60 Description Added: 08/18/2003 Description Modified: 08/18/2003 10:53 AM (PT) Description Menu Virus Characteristics Symptoms Method Of Infection Removal Instructions Variants / Aliases Rate This page Print This Page Email This Page Legend Virus Characteristics: This detection is for another virus that exploits the MS03-026 vulnerability. It is not related to the W32/Lovsan.worm.d variant described here. The virus is detected by the current Daily DATs as Exploit-DcomRpc virus (with scanning of compressed files enabled). Intentions of the worm This worm tries spreads by exploiting a hole in Microsoft Windows. It instructs a remote target system to download and execute the worm from the infected host. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole. When the system clock reaches Jan 1, 2004, the worm will delete itself upon execution. Symptoms large volumes of ICMP traffic in network existence of the files and Windows services detailed above Method Of Infection This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans the local subnet (port 135) for target machines. It sends an ICMP ping to potential victim machines, and upon a reply, sends the exploit data. A remote shell is created on the target system on TCP port 707. Victim machines are instructed to download the worm via TFTP. Irrespective of anti-virus detection, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine will send packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615 -----Original Message----- From: Ken Eichman [mailto:keichmanat_private] Sent: Monday, August 18, 2003 12:24 PM To: incidentsat_private Subject: Increasing ICMP Echo Requests For the past 12 hours I've noticed a steady increase in the number of ICMP Echo Requests (type 8 code 0) being directed against random source addresses in my /16. During the past 15 hours we've been ping probed by 127,585 unique source addresses, and hour-by-hour the number of sources is increasing: Hour # Unique Date GMT Src Addrs ----- ---- --------- 08/18 0000 80 08/18 0100 232 08/18 0200 905 08/18 0300 2727 08/18 0400 4686 08/18 0500 7378 08/18 0600 9930 08/18 0700 12214 08/18 0800 13993 08/18 0900 14196 08/18 1000 14097 08/18 1100 15756 08/18 1200 17776 08/18 1300 20352 08/18 1400 21298 I have not had time to do much analysis on this traffic, other than to report it to DShield who is apparently getting similar reports from others. Possibly related to this, we are also seeing an increased number of ping sweeps, where one source IP incrementally pings our entire /16 range. Anyone else seeing this or have any ideas? Ken Eichman Senior Scientist Chemical Abstracts Service IT Information Security 2540 Olentangy River Road 614-447-3600 ext. 3230 Columbus, OH 43210 keichmanat_private --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ---------------------------------------------------------------------------- ********************************************************************** CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it, may contain confidential information or protected health information subject to privacy regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail and destroy the original transmission in its entirety without saving it in any manner. ********************************************************************** --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 12:44:59 PDT