[42589] in North American Network Operators' Group
RE: Worm probes
daemon@ATHENA.MIT.EDU (Roeland Meyer)
Tue Sep 18 11:49:28 2001
Message-ID: <EA9368A5B1010140ADBF534E4D32C728069ED9@condor.mhsc.com>
From: Roeland Meyer <rmeyer@mhsc.com>
To: "'Valdis.Kletnieks@vt.edu'" <Valdis.Kletnieks@vt.edu>,
Bryan Heitman <bryanh@communitech.net>
Cc: nanog@merit.edu
Date: Tue, 18 Sep 2001 08:48:43 -0700
MIME-Version: 1.0
Content-Type: text/plain
Errors-To: owner-nanog-outgoing@merit.edu
I wonder if ...
Afghanistan ... taliban .... holy war ...?
We need to start back-tracing this one, methinks.
|> -----Original Message-----
|> From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
|> Sent: Tuesday, September 18, 2001 8:30 AM
|> To: Bryan Heitman
|> Cc: nanog@merit.edu
|> Subject: Re: Worm probes
|>
|>
|> On Tue, 18 Sep 2001 10:22:06 CDT, Bryan Heitman
|> <bryanh@communitech.net> said:
|> >
|> > We're also seeing a large increase in this activity. This
|> seems to be more
|> > severe than the first time. Have an additional 30 to 40
|> meg inbound from
|> > this.
|>
|> This seems to be the culprit:
|>
|> Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
|>
|> I've nailed a copy, and am working on getting it to the
|> right security
|> people. A *PRELIMINARY* (eyeballing the output of 'strings'
|> indicates that
|> this one *both* sends itself via-email a la SirCam, *AND*
|> scans for vulnerable
|> web servers, and if it finds a vulnerable server, it causes
|> anybody visiting
|> that webpage to be offered a contaminated .exe as well.
|>
|> I do *NOT* have a handle on what malicious effects it has
|> other than just
|> propagating.
|>
|> This one's nasty, folks...
|>
|> --
|> Valdis Kletnieks
|> Operating Systems Analyst
|> Virginia Tech
|>
|>
