Re: Alert: Some sort of IIS worm seems to be propagating

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 09/18/01 

Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F1F14CC@muskie.rc.on.ca>
Date:         Tue, 18 Sep 2001 12:19:27 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Re: Alert: Some sort of IIS worm seems to be propagating
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----

Ok, whoa horsy, I've got lots of copies of ADMIN.DLL now thanks!

Analysis is still on-going to determine precisely what the infecting
files do (there are potentially two, ADMIN.DLL and README.EXE).

Some people have said their boxes seem unstable. It could be because
of numerous copies of TFTP.EXE in memory. At this point it might be
best to disconnect any computer that appears unstable from the
network, until such time as sufficient analysis has been performed to
advise how best to bring the box back on-line.

It is also possible for client machines to perform the attacks that
we're seeing, if you have a way to filter outbound HTTP requests you
should look for anything that contains "/scripts" or "tftp" in the
URL and treat as suspicious.

The internal threat by this one is no different (and maybe worse)
than CRII. We've seen indications of WnetEnumResource calls as well
as references to IPC$. There may be NetBIOS share activity associated
with the worm, and if so, it will likely spread rapidly internally.

More than likely you will see the biggest effect in terms of a DoS
(from many source machines). This thing cares not whether you're an
IIS box or not, it tries regardless. As this spreads the effects may
become more severe (no, I'm not going to provide a quote on how
severe). Make sure you're inbound (and preferably your outbound)
router rules are restricted to only those protocols that must be
present, and ideally to machine IP addresses that should have access.

More as it becomes available.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6d0DxBh2Kw/l7p5AQFSUQQAr8sGDIVt6W6Cg5HZa+XEnVlC94+BTIpn
Y/mY301eseIjwsl46sjrdR/UewymNRBElE/BFK88drL8O+sBR57GcirqUH5LuHHd
xIxGD5Jg6iFAwrC2NnKXmGvEy9svKloIDSgVw2qQR3rFoeXPL7u8N4F+G1LJ4n1+
cy6kr8ik+TA=
=/WEX
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================

Quantcast