Security Incidents mailing list archives
Re: Concept Virus(CV) V.5 - Quick analysis update
From: Homer Wilson Smith <homer () lightlink com>
Date: Tue, 18 Sep 2001 20:05:50 -0400 (EDT)
If any one has the proper entries in the apache 1.3.20 config file to block the gets to Admin.dll, root.exe and cmd.exe, I would appreciate knowing about them. Been playing with <FilesMatch> and <DirectoryMatch> but they only seem to work IF the directory path actually exists on the machine. We are being swamped here. Homer ------------------------------------------------------------------------ Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink (607) 277-0959 A Green Earth and Peace. Internet Access, Ithaca NY homer () lightlink com Is that too much to ask? http://www.lightlink.com On Tue, 18 Sep 2001, Brian Pomeroy wrote:
This morning I received an e-mail with the subject line "elvis presley - amazing grace" from asportal () microsoft com and containing an attachment named read.exe. I am suspecting this could be related. Brian Pomeroy e-Transformation/e-Medicine Center The Children's Hospital of Philadelphia Philadelphia, PA USA http://www.chop.edu/ pomeroy () email chop edu || lunar () voicenet com ----- Original Message ----- From: "Olle Segerdahl" <olle () defcom com> To: <bugtraq () securityfocus com>; <incidents () securityfocus com> Sent: Tuesday, September 18, 2001 11:58 AM Subject: Concept Virus(CV) V.5 - Quick analysis updateMore infectation routes: The worm, upon infecting a new host, goes through all the shared directories and their subdirecories and plants the following files in each dir: sample.nws sample.eml desktop.eml desktop.nws which are eml messages with copies of itself ("readme.exe") autoloaded by a html script tag, riched20.dll which is a trojan dll version of itself probably designed to infect people running notepad/wordpad in that dir. It also infects htm/html/asp files all over the system with a <SCRIPT> tag appendage that links to a readme.eml file in the current directory, thus infecting more webservers and even windows helpsystem and the IE "freindly" error messages. The worm puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above "readme.exe" format..... So in short: This thing spreads vi fileserver shares and also infects all web content files it sees, it's EVIL. /olle ----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Concept Virus(CV) V.5 - Advisory and Quick analysis Olle Segerdahl (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- Concept Virus(CV) V.5 - Quick analysis update Olle Segerdahl (Sep 18)
- A suggestion to Concept/Nimda analysts Stuart Staniford (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Brian Pomeroy (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Homer Wilson Smith (Sep 18)
- Re: Concept Virus(CV) V.5 - Quick analysis update Michael H. Warfield (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Jose Nazario (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Michael H. Warfield (Sep 18)
- <Possible follow-ups>
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Mark Challender (Sep 18)
- Re: Concept Virus(CV) V.5 - Advisory and Quick analysis Dave Sill (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Robert Nieuwhof (Sep 18)
- RE: Concept Virus(CV) V.5 - Advisory and Quick analysis Davis, Matt (Sep 19)