[42236] in North American Network Operators' Group
RE: New Worm
daemon@ATHENA.MIT.EDU (Hire, Ejay)
Fri Sep 14 11:35:52 2001
Message-ID: <F5F3FBBFC94DD4118E4500D0B74A095F013E70F6@EMAIL2>
From: "Hire, Ejay" <Ejay.Hire@Broadslate.net>
To: nanog@merit.edu
Date: Fri, 14 Sep 2001 11:25:17 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C13D31.754A73F0"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C13D31.754A73F0
Content-Type: text/plain;
charset="iso-8859-1"
I was in error. This is not a new worm. Just an old one that won't die.
http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html
<http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html>
Apologies.
-----Original Message-----
From: Ejay Hire [mailto:Ejay.hire@broadslate.net]
Sent: Friday, September 14, 2001 12:04 PM
To: nanog@merit.edu
Subject: New Worm
My Honeypot was infected with a new self-replicating worm yesterday. It
appears to check for open win95/98/me netbios shares with read/write
permission and installs wininit.exe (the scanner/infector) and the
distributed.net client (In quiet Mode). Upon reboot, the scanner will start
and search for infectable hosts during periods of inactivity. The windows
2000 pro pc seems unaffected. I will make the files available for
dis-assembly if anyone is interested.
To check for infection, look for the following files in c:/windows/system
wininit.exe --Application
wininit.log --Apparent Log file
info.dll --Apparent Log file
dnetc.exe -- Distributed.net client
dnetc.ini -- Distributed.net config
Buff-in.* -- Distributed.net work units
ms216.exe -- Unknown, but the timestamp matched the other files...
------_=_NextPart_001_01C13D31.754A73F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4616.200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D600542115-14092001>I was=20
in error. This is not a new worm. Just an old one that =
won't=20
die.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><A=20
href=3D"http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html">=
http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html</A></FONT=
></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D600542115-14092001>Apologies.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D600542115-14092001></SPAN></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Ejay Hire=20
[mailto:Ejay.hire@broadslate.net]<BR><B>Sent:</B> Friday, September =
14, 2001=20
12:04 PM<BR><B>To:</B> nanog@merit.edu<BR><B>Subject:</B> New=20
Worm<BR><BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>My Honeypot was infected with a new=20
self-replicating worm yesterday. It appears to check for open=20
win95/98/me netbios shares with read/write permission and installs =
wininit.exe=20
(the scanner/infector) and the distributed.net client (In quiet =
Mode). =20
Upon reboot, the scanner will start and search for infectable =
hosts=20
during periods of inactivity. The windows 2000 pro pc seems=20
unaffected. I will make the files available for dis-assembly if =
anyone=20
is interested.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>To check for infection, look for the =
following=20
files in c:/windows/system</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>wininit.exe =
--Application</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>wininit.log --Apparent Log=20
file</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>info.dll --Apparent Log=20
file</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>dnetc.exe -- =
Distributed.net=20
client</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>dnetc.ini -- Distributed.net =
config</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Buff-in.* -- Distributed.net work=20
units</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>ms216.exe -- Unknown, but the =
timestamp matched=20
the other files...</FONT></DIV>
<DIV><FONT face=3DArial =
size=3D2></FONT> </DIV></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C13D31.754A73F0--
