Re: Concept Virus(CV) V.5 - Advisory and Quick analysis

[Dave Sill <davids () socket net>]

You say that the worm gets a payload by tftp...  Is it using port 69?

Thanks,

Dave Sill
Server Admin
Socket Internet Services
davids () socket net

Is the worm 

On Tuesday 18 September 2001 10:47, you wrote:
> Hi all!
>
>
> We've all just been hit by a VERY aggressive worm/virus.
>
> Quick analysis indicates that it propagates itself in
> a number of different ways:
>
> Through use of IIS UNICODE direcory traversal coupled
> with the recent IIS .dll privilege escalation attack.
> It uses SMB/CIFS and TFTP to get the worm payload.
>
> Through MAPI mails (probably to all of addressbook).
>
> Other ways of spreading may be possible, but we haven't
> yet had the time to properly analyse the worm/virus.
>
> It seems to share "c:\" via SMB/CIFS as "c$" and
> the worm/virus also adds the "Guest" user and "Guests"
> group to the local "Administrators" group....
>
>
> Interesting strings in binary:
>
> Concept Virus(CV) V.5, Copyright(C)2001  R.P.China
>
> SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
> share c$=c:\
> user guest ""
> localgroup Administrators guest /add
> localgroup Guests guest /add
> user guest /active
> open
> user guest /add
> net
>
>
> More info as we come upon it.....
>
> /olle
>
> ---------------------------------------------------------------------------
> - This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com