[42586] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Worm probes

daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Sep 18 11:31:22 2001

Message-Id: <200109181529.f8IFTrr07381@foo-bar-baz.cc.vt.edu>
To: Bryan Heitman <bryanh@communitech.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Tue, 18 Sep 2001 10:22:06 CDT."
             <00d801c14055$ad3a6e10$1100a8c0@administration3> 
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-1110415492P";
	 micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Tue, 18 Sep 2001 11:29:53 -0400
Errors-To: owner-nanog-outgoing@merit.edu


--==_Exmh_-1110415492P
Content-Type: text/plain; charset=us-ascii

On Tue, 18 Sep 2001 10:22:06 CDT, Bryan Heitman <bryanh@communitech.net>  said:
> 
> We're also seeing a large increase in this activity.  This seems to be more
> severe than the first time.  Have an additional 30 to 40 meg inbound from
> this.

This seems to be the culprit:

Concept Virus(CV) V.5, Copyright(C)2001  R.P.China

I've nailed a copy, and am working on getting it to the right security
people.  A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable
web servers, and if it finds a vulnerable server, it causes anybody visiting
that webpage to be offered a contaminated .exe as well.

I do *NOT* have a handle on what malicious effects it has other than just
propagating.

This one's nasty, folks...

-- 
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech


--==_Exmh_-1110415492P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.5 07/09/2001

iQA/AwUBO6docXAt5Vm009ewEQJ1ogCglu7ohUfzD+jPMW9Uhp8jXSHUYTwAmQHC
CdGZEDRt34a8a0VdmvRPmjKw
=lLam
-----END PGP SIGNATURE-----

--==_Exmh_-1110415492P--

home help back first fref pref prev next nref lref last post