While examining the results of this worm I noticed the following on SEVERAL infected systems: Files on the C drive: <SNIP> 09/18/2001 01:45p 57,344 TFTP1012 09/18/2001 01:46p 57,344 TFTP19064 09/18/2001 01:46p 57,344 TFTP19248 09/18/2001 01:48p 57,344 TFTP19068 09/18/2001 01:49p 57,344 TFTP19288 09/18/2001 01:51p 57,344 TFTP19608 09/18/2001 01:52p 57,344 TFTP19564 09/18/2001 01:56p 57,344 TFTP19476 09/18/2001 01:55p 57,344 TFTP19900 09/18/2001 01:55p 57,344 TFTP19440 09/18/2001 01:56p 57,344 TFTP19868 09/18/2001 02:00p 57,344 TFTP19956 09/18/2001 02:02p 57,344 TFTP20028 09/18/2001 02:00p 57,344 TFTP20064 09/18/2001 02:01p 57,344 TFTP20096 09/18/2001 02:01p 57,344 TFTP20136 09/18/2001 02:04p 57,344 TFTP20204 09/18/2001 02:02p 57,344 TFTP20076 09/18/2001 02:01p 57,344 TFTP20304 09/18/2001 02:02p 57,344 TFTP20292 09/18/2001 02:02p 57,344 TFTP20328 09/18/2001 02:06p 57,344 TFTP20280 09/18/2001 02:03p 57,344 TFTP20248 09/18/2001 02:07p 52,736 TFTP20316 <SNIP> I'm seeing some machines with literally thousands and thousands of these files filling up their HDs. Besides in the root director I'm seeing people with them in the scripts directory as well. Another thing interesting to note, but not surprising, is that a lot of the hosts I'm seeing infected with this new worm are machiens that still have teh Code Red II trojans sitting on them. This could really cause some headaches. Regards, Stan -- Stan Bubrouski stanat_private 23 Westmoreland Road, Hingham, MA 02043 Cell: (617) 835-3284 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 15:03:21 PDT