Return-Path: <sentto-279987-2033-1000829762-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 18 Sep 2001 09:18:13 -0700 (PDT) Received: (qmail 9614 invoked by uid 510); 18 Sep 2001 16:16:28 -0000 Received: from n23.groups.yahoo.com (216.115.96.73) by 204.181.12.215 with SMTP; 18 Sep 2001 16:16:28 -0000 X-eGroups-Return: sentto-279987-2033-1000829762-fc=all.net@returns.onelist.com Received: from [10.1.4.52] by ck.egroups.com with NNFMP; 18 Sep 2001 16:16:02 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 18 Sep 2001 16:16:01 -0000 Received: (qmail 76301 invoked from network); 18 Sep 2001 16:16:01 -0000 Received: from unknown (10.1.10.142) by m8.onelist.org with QMQP; 18 Sep 2001 16:16:01 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 18 Sep 2001 16:16:01 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id JAA05540 for iwar@onelist.com; Tue, 18 Sep 2001 09:16:00 -0700 Message-Id: <200109181616.JAA05540@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 18 Sep 2001 09:16:00 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:New.worm.in.town.-.spreading.very.rapidly.-.Concept.Virus(CV).V.5,.Copyright(C)2001..R.P.China] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi all! We've all just been hit by a VERY aggressive worm/virus. Quick analysis indicates that it propagates itself in a number of different ways: Through use of IIS UNICODE direcory traversal coupled with the recent IIS .dll privilege escalation attack. It uses SMB/CIFS and TFTP to get the worm payload. Through MAPI mails (probably to all of addressbook). Other ways of spreading may be possible, but we haven't yet had the time to properly analyse the worm/virus. It seems to share "c:\" via SMB/CIFS as "c$" and the worm/virus also adds the "Guest" user and "Guests" group to the local "Administrators" group.... Interesting strings in binary: Concept Virus(CV) V.5, Copyright(C)2001 R.P.China SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add net More info as we come upon it..... /olle ------------------------ Yahoo! Groups Sponsor ---------------------~--> Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now! http://us.click.yahoo.com/4mr93B/zhwCAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT