Worm/Virus alert

From: Marion Bates <Marion.Bates_at_dartmouth.edu>
Date: Tue Sep 18 12:11:27 2001

Hey all,

Sorry bout the spam (and sorry if you already know about this) but I figured you folks might want to know to watch out for a new Code Red-esque worm that's running rampant...below is from SlashDot. http://slashdot.org/articles/01/09/18/151203.shtml

-- MB

New (More) Annoying Microsoft Worm Hits Net
Posted by CmdrTaco on Tuesday September 18, _at_10:10AM
from the what-a-pain-in-the-arse dept.
A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update: Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!
Received on Tue Sep 18 2001 - 12:11:27 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:34:25 BST