[42232] in North American Network Operators' Group
New Worm
daemon@ATHENA.MIT.EDU (Ejay Hire)
Fri Sep 14 11:11:28 2001
Message-ID: <012e01c13d36$f3cfe160$4801fe0a@Broadslate.net>
From: "Ejay Hire" <Ejay.hire@broadslate.net>
To: <nanog@merit.edu>
Date: Fri, 14 Sep 2001 11:04:23 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0128_01C13D0D.0290D580"
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_0128_01C13D0D.0290D580
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
My Honeypot was infected with a new self-replicating worm yesterday. It =
appears to check for open win95/98/me netbios shares with read/write =
permission and installs wininit.exe (the scanner/infector) and the =
distributed.net client (In quiet Mode). Upon reboot, the scanner will =
start and search for infectable hosts during periods of inactivity. The =
windows 2000 pro pc seems unaffected. I will make the files available =
for dis-assembly if anyone is interested.
To check for infection, look for the following files in =
c:/windows/system
wininit.exe --Application
wininit.log --Apparent Log file
info.dll --Apparent Log file
dnetc.exe -- Distributed.net client
dnetc.ini -- Distributed.net config
Buff-in.* -- Distributed.net work units
ms216.exe -- Unknown, but the timestamp matched the other files...
------=_NextPart_000_0128_01C13D0D.0290D580
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>My Honeypot was infected with a new=20
self-replicating worm yesterday. It appears to check for open =
win95/98/me=20
netbios shares with read/write permission and installs wininit.exe (the=20
scanner/infector) and the distributed.net client (In quiet Mode). =
Upon=20
reboot, the scanner will start and search for infectable hosts =
during=20
periods of inactivity. The windows 2000 pro pc seems =
unaffected. I=20
will make the files available for dis-assembly if anyone is=20
interested.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>To check for infection, look for the =
following=20
files in c:/windows/system</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>wininit.exe =
--Application</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>wininit.log --Apparent Log =
file</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>info.dll --Apparent Log=20
file</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>dnetc.exe -- =
Distributed.net=20
client</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>dnetc.ini -- Distributed.net =
config</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Buff-in.* -- Distributed.net work=20
units</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>ms216.exe -- Unknown, but the timestamp =
matched the=20
other files...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_0128_01C13D0D.0290D580--
