Re: Worm probes.. Looking for captures.

• From: Michael Airhart
• Date: Tue Sep 18 13:14:07 2001

> Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
> I've nailed a copy, and am working on getting it to the right security
> people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
> this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable
> web servers, and if it finds a vulnerable server, it causes anybody visiting
> that webpage to be offered a contaminated .exe as well.
> I do *NOT* have a handle on what malicious effects it has other than just
> propagating.

I work at a large university and our security guys think this guy is what's
been causing us problems all morning. Lots of subnet scans (tons of
incomplete arps), CC Mail servers are wacking out, HPOV noting that
old 3Com gear is dropping etc. This is what I've heard through the rumor
mill (so take it with a grain of salt)...

"...At first blush, it spreads itself via by web, email, and maybe shares.
We've seen it spreading by a set of two HTTP requests. It will look for
backdoors left behind by Code Red, such as /scripts/root.exe. It uses tftp
to copy itself to the target machine then launches it via a second HTTP
command."

Eric :)

--------------------------------------------------------------------------------------------------------
Michael Airhart				512/378-1246 Office
Consulting Systems Engineer			413/480-1958 eFax
Cisco Systems, Inc.				800/365-4578 Pager
12515 Research Blvd				[email protected]
Austin, TX 78759

• References:
  • Re: Worm probes Valdis.Kletnieks
  • Re: Worm probes up
  • Re: Worm probes Bryan Heitman
  • Re: Worm probes Eric Gauthier

• Prev by Date: Re: Afghanistan
• Next by Date: Re: Worm probes
• Date Index
• Thread Index
• Author Index
• Historical