Security Incidents mailing list archives
Re: Concept Virus(CV) V.5 - Advisory and Quick analysis
From: Dave Sill <davids () socket net>
Date: Tue, 18 Sep 2001 14:13:00 -0400
We've blocked 69/udp at our internal and border routers both incoming and outgoing. Be careful with your private networks. Our tech support department contracted this bug by opening a web page of an infected customer in response to a complaint about performance. Dave Sill Server Admin Socket Internet Services davids () socket net On Tuesday 18 September 2001 15:10, you wrote:
YES --- Dave Sill <davids () socket net> wrote:You say that the worm gets a payload by tftp... Is it using port 69? Thanks, Dave Sill Server Admin Socket Internet Services davids () socket net Is the worm On Tuesday 18 September 2001 10:47, you wrote:Hi all! We've all just been hit by a VERY aggressiveworm/virus.Quick analysis indicates that it propagates itselfina number of different ways: Through use of IIS UNICODE direcory traversalcoupledwith the recent IIS .dll privilege escalationattack.It uses SMB/CIFS and TFTP to get the worm payload. Through MAPI mails (probably to all ofaddressbook).Other ways of spreading may be possible, but wehaven'tyet had the time to properly analyse theworm/virus.It seems to share "c:\" via SMB/CIFS as "c$" and the worm/virus also adds the "Guest" user and"Guests"group to the local "Administrators" group.... Interesting strings in binary: Concept Virus(CV) V.5, Copyright(C)2001 R.P.ChinaSYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Securityshare c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add net More info as we come upon it..... /olle---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARISanalyzer service.For more information on this free incidenthandling, managementand tracking system please see:http://aris.securityfocus.com--------------------------------------------------------------------------- -This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com__________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis, (continued)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
- A suggestion to Concept/Nimda analysts Stuart Staniford (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Brian Pomeroy (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Homer Wilson Smith (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Michael H. Warfield (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Jose Nazario (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Michael H. Warfield (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Robert Nieuwhof (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Davis, Matt (Sep 19)