This is a useful and helpful spam.... well worth it, thanks for the heads
up...
Curt
----- Original Message -----
From: "Marion Bates" <Marion.Bates(a)dartmouth.edu>
To: <classiccmp(a)classiccmp.org>
Sent: Tuesday, September 18, 2001 1:11 PM
Subject: Worm/Virus alert
Hey all,
Sorry bout the spam (and sorry if you already know about this) but I
figured you
folks might want to know to watch out for a new Code Red-esque
worm that's running rampant...below is from SlashDot.
http://slashdot.org/articles/01/09/18/151203.shtml
-- MB
**************
New (More) Annoying Microsoft Worm Hits Net
Posted by CmdrTaco on Tuesday September 18, @10:10AM
from the what-a-pain-in-the-arse dept.
A new worm seems to be running rampant Unlike Code Red, it attempts to hit
boxes
with many different exploits (including what looks like an attempt to
exploit boxes still rooted by Code Red). It looks like each IP tries 16
attempts on its neighbors. There is also a new mail worm mailing WAV files
or something with bits of what appears to be the registry... it may or may
not be related. Got any words on this? Shut down those windows boxes and
stop opening attachments. And make that 21. Got another one while writing
this story. All my hits are coming from 208.n.n.n (where I am) I'm sure
it'll keep moving to nearby boxes.
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per
attack.
In only 4 minutes. Also of interest, My desktop has now been hit
about 500 times today, all from 208.x.x.x IPs. This might be really bad. I
still haven't read anything about this anywhere else, so you heard it here
first ;)
Update: Web servers compromised by this worm apparently attach a
"readme.eml" to all web pages served... and due to a bug in IE5, it will
automatically execute the file! Yay Internet Explorer!