[42683] in North American Network Operators' Group
RE: Worm probes
daemon@ATHENA.MIT.EDU (Eric Germann)
Tue Sep 18 20:02:46 2001
Reply-To: <ekgermann@cctec.com>
From: "Eric Germann" <ekgermann@cctec.com>
To: <Valdis.Kletnieks@vt.edu>, <sigma@pair.com>
Cc: <nanog@merit.edu>
Date: Tue, 18 Sep 2001 19:57:28 -0400
Message-ID: <NDBBJJPLIGJGLBKILFIHCECCEAAA.ekgermann@cctec.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_003B_01C1407C.251C0440"
In-Reply-To: <200109181834.f8IIYHr11697@foo-bar-baz.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_003B_01C1407C.251C0440
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
We found the following on an infected server also:
For each share on the server, it generates a .eml file and puts it in the
root of the share. It then creates a index.asp, index.htm, default.asp and
default.htm on the root of the share which points to and downloads the .eml
file from the root of the share. Neat thing is, anyone with Active Desktop
(View my Desktop as a Web Page) enabled is going to get it, presumably.
Simply by browsing the shared directory. It looks like it morphs the .eml
file names to. Not all are "readme.eml", althought they all are ~ 79K in
size.
Happy disinfecting. My customer on the end of a 56K FR link was fsck'd this
afternoon. Welcome to IT during the first war fo the 21st century ...
Eric
==========================================================================
Eric Germann CCTec
ekgermann@cctec.com Van Wert OH 45801
http://www.cctec.com Ph: 419 968 2640
Fax: 603 825 5893
"It is so easy to miss pretty trivial solutions to problems deemed
complicated. The goal of a scientist is to find an interesting problem,
and live off it for a while. The goal of an engineer is to evade
interesting problems :)" -- Vadim Antonov <avg@kotovnik.com> on NANOG
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Valdis.Kletnieks@vt.edu
> Sent: Tuesday, September 18, 2001 2:34 PM
> To: sigma@pair.com
> Cc: nanog@merit.edu
> Subject: Re: Worm probes
>
>
> On Tue, 18 Sep 2001 13:36:48 EDT, sigma@pair.com said:
> > Along those lines, weren't there some projects last time around
> to find and
> > clean up the affected machines? Clearly there are LOTS of vulnerable NT
> > servers still out there. Presumably these are being responded
> to just like
>
> This also has an e-mail vector and a web DOWNLOAD vector.
>
> There may be lots of vulnerable NT servers, but there's a lot MORE copies
> of Outlook and Internet Explorer out there.
>
> Think SirCam *AND* CodeRed *AND* the infect-a-surfer vector....
> --
> Valdis Kletnieks
> Operating Systems Analyst
> Virginia Tech
>
>
------=_NextPart_000_003B_01C1407C.251C0440
Content-Type: text/x-vcard;
name="Eric Germann.vcf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="Eric Germann.vcf"
BEGIN:VCARD
VERSION:2.1
N:Germann;Eric
FN:Eric Germann
ORG:CCTec
TEL;WORK;VOICE:(419) 968-2640
TEL;WORK;FAX:(603) 825-5893
ADR;WORK:;;17780 Middle Point Road;Van Wert;OH;45891;United States of =
America
LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:17780 Middle Point =
Road=3D0D=3D0AVan Wert, OH 45891=3D0D=3D0AUnited States of Americ=3D
a
URL:
URL:http://www.cctec.com
EMAIL;PREF;INTERNET:ekgermann@cctec.com
REV:20010529T013421Z
END:VCARD
------=_NextPart_000_003B_01C1407C.251C0440--
