<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4616.200" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=600542115-14092001>I was
in error. This is not a new worm. Just an old one that won't
die.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><A
href="http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html">http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html</A></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=600542115-14092001>Apologies.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=600542115-14092001></SPAN></FONT> </DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Ejay Hire
[mailto:Ejay.hire@broadslate.net]<BR><B>Sent:</B> Friday, September 14, 2001
12:04 PM<BR><B>To:</B> nanog@merit.edu<BR><B>Subject:</B> New
Worm<BR><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>My Honeypot was infected with a new
self-replicating worm yesterday. It appears to check for open
win95/98/me netbios shares with read/write permission and installs wininit.exe
(the scanner/infector) and the distributed.net client (In quiet Mode).
Upon reboot, the scanner will start and search for infectable hosts
during periods of inactivity. The windows 2000 pro pc seems
unaffected. I will make the files available for dis-assembly if anyone
is interested.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To check for infection, look for the following
files in c:/windows/system</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>wininit.exe --Application</FONT></DIV>
<DIV><FONT face=Arial size=2>wininit.log --Apparent Log
file</FONT></DIV>
<DIV><FONT face=Arial size=2>info.dll --Apparent Log
file</FONT></DIV>
<DIV><FONT face=Arial size=2>dnetc.exe -- Distributed.net
client</FONT></DIV>
<DIV><FONT face=Arial size=2>dnetc.ini -- Distributed.net config</FONT></DIV>
<DIV><FONT face=Arial size=2>Buff-in.* -- Distributed.net work
units</FONT></DIV>
<DIV><FONT face=Arial size=2>ms216.exe -- Unknown, but the timestamp matched
the other files...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BLOCKQUOTE></BODY></HTML>