[42239] in North American Network Operators' Group
RE: New Worm
daemon@ATHENA.MIT.EDU (Roeland Meyer)
Fri Sep 14 12:23:34 2001
Message-ID: <EA9368A5B1010140ADBF534E4D32C728069EBC@condor.mhsc.com>
From: Roeland Meyer <rmeyer@mhsc.com>
To: "'Hire, Ejay'" <Ejay.Hire@Broadslate.net>, nanog@merit.edu
Date: Fri, 14 Sep 2001 09:20:48 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu
Strange that this one resurfaces just after we discussed Win shares t'other
day.
-----Original Message-----
From: Hire, Ejay [mailto:Ejay.Hire@Broadslate.net]
Sent: Friday, September 14, 2001 8:25 AM
To: nanog@merit.edu
Subject: RE: New Worm
I was in error. This is not a new worm. Just an old one that won't die.
http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html
Apologies.
-----Original Message-----
From: Ejay Hire [mailto:Ejay.hire@broadslate.net]
Sent: Friday, September 14, 2001 12:04 PM
To: nanog@merit.edu
Subject: New Worm
My Honeypot was infected with a new self-replicating worm yesterday. It
appears to check for open win95/98/me netbios shares with read/write
permission and installs wininit.exe (the scanner/infector) and the
distributed.net client (In quiet Mode). Upon reboot, the scanner will start
and search for infectable hosts during periods of inactivity. The windows
2000 pro pc seems unaffected. I will make the files available for
dis-assembly if anyone is interested.
To check for infection, look for the following files in c:/windows/system
wininit.exe --Application
wininit.log --Apparent Log file
info.dll --Apparent Log file
dnetc.exe -- Distributed.net client
dnetc.ini -- Distributed.net config
Buff-in.* -- Distributed.net work units
ms216.exe -- Unknown, but the timestamp matched the other files...
