Home page logo
/

nanog logo nanog mailing list archives

Re: Worm probes
From: Eric Gauthier <eric () roxanne org>
Date: Tue, 18 Sep 2001 11:54:39 -0400


Concept Virus(CV) V.5, Copyright(C)2001  R.P.China
I've nailed a copy, and am working on getting it to the right security
people.  A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable
web servers, and if it finds a vulnerable server, it causes anybody visiting
that webpage to be offered a contaminated .exe as well.
I do *NOT* have a handle on what malicious effects it has other than just
propagating.

I work at a large university and our security guys think this guy is what's 
been causing us problems all morning.  Lots of subnet scans (tons of 
incomplete arps), CC Mail servers are wacking out, HPOV noting that 
old 3Com gear is dropping etc.  This is what I've heard through the rumor 
mill (so take it with a grain of salt)...

"...At first blush, it spreads itself via by web, email, and maybe shares.
We've seen it spreading by a set of two HTTP requests.  It will look for
backdoors left behind by Code Red, such as /scripts/root.exe.  It uses tftp 
to copy itself to the target machine then launches it via a second HTTP 
command."

Eric :)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault