Worm probes

ravi pina ravi at cow.org
Tue Sep 18 15:35:28 UTC 2001


indeed.  scanning for strings that appear to be associated
with the Concept Virus(CV) V.5, there is a tremendous
increase in bandwidth usage.  today alone i match:

/scripts:    18013
/_vti_bin:     1885
_mem_bin:     1916
/ms_adc/:     1945
/winnt/system32:    27648

bugtraq is starting to get in the preliminary reports
of this worm.  beware that infected host's home pages
contain a javascript that sends you to a page that
attempts to send you a copy of the worm.  fantastic, eh?

-r

On Tue, Sep 18, 2001 at 11:05:35AM -0400, up at 3.am said at one point in time:
> 
> 
> ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k
> box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this
> time of day, although still well short of capacity...apache server
> processor load is WAY up just from the requests, and the logs are growing
> like mad.
> 
> On Tue, 18 Sep 2001, deeann mikula wrote:
> 
> > 
> > On Tue, 18 Sep 2001, ravi pina wrote:
> > 
> > >
> > > On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma at pair.com said at one point in time:
> > > >
> > > >
> > > > Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
> > > > probes this morning?  We're seeing about 8000/second, starting around 9:15
> > > > Eastern time, to and from a wide variety of addresses.
> > >
> > > affirmative.  i just looked at my logs, and it looks like
> > > each probe tries a bunch of things.  i haven't seen much
> > > on the lists, but i'm looking right now.
> > 
> > i'm pretty sure that the worm's attack phase starts on the 20th (which
> > of course, depends upon a correctly set system clock) and also that
> > attempting to execute something like /scripts/root.ext/c++ something
> > is involved.
> > 
> > i think that cert's website would be a good place to look.  i'm *not*
> > a security/virus chick, but i did host a talk by marty linder of cert
> > where he discected code red's activity and presented a summary.
> > 
> > cert is of course, http://www.cert.org.
> > 
> > 
> > deeann m.m. mikula
> > 
> > director of operations
> > telerama public access internet
> > http://www.telerama.com
> > 1.877.688.3200
> > 
> > 
> > 
> > 
> 
> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> up at 3.am							    http://3.am
> =========================================================================

-- 
echo "send pgp key" | mail ravi at cow.org ; ravi at happy:/home/ravi# rm -rf /bin/laden 
"Now I don't want you to worry, class.  These tests will have no effect on
 your grades.  They merely determine your future social status and
 financial success.  If any."  -- Mrs. Krabappel




More information about the NANOG mailing list