RE: virus or hack?

From: Jon Zobrist (
Date: 08/18/01

From: "Jon Zobrist" <>
To: "Onet Security" <>
Subject: RE: virus or hack?
Date: Fri, 17 Aug 2001 17:11:57 -0600
Message-ID: <>

This is the sadmin/Unicode worm
It infects Solaris servers first, then launches attacks from Solaris to IIS

info at

Sun's notice

even more info


-----Original Message-----
From: Onet Security []
Sent: Friday, August 17, 2001 1:49 PM
To: Virus Focus (E-mail); 'Focus-Ms (E-mail)
Subject: virus or hack?

One of our NT 4 servers running IIS 4 has several directories in which a net
set of index.asp, index.htm, default.asp, and default.htm. These appeared
in site directories that where empty or almost empty. Here is the html text
listed in the files (slightly censored)

<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p
align="center"><font size=7 color=red>** CHINA Government</font><tr><td><p
align="center"><font size=7 color=red>** PoizonBOx<tr><td><p
align="center"><font size=4 color=red></html>

Is this causes by a code red type worm or is this just a simple hack?

David A. Smith
Server Operator
Technical Support
On-Net Internet Services, Inc
(317) 876-6000