Concept Virus(CV) V.5 - Quick analysis update
From: Olle Segerdahl (olle@defcom.com)Date: 09/18/01
- Previous message: Steve Halligan: "Interesting Scan--Looks like a new worm."
- In reply to: Olle Segerdahl: "Concept Virus(CV) V.5 - Advisory and Quick analysis"
- Next in thread: Stuart Staniford: "A suggestion to Concept/Nimda analysts"
- Next in thread: Mark Challender: "RE: Concept Virus(CV) V.5 - Advisory and Quick analysis"
- Reply: Stuart Staniford: "A suggestion to Concept/Nimda analysts"
- Reply: Brian Pomeroy: "Re: Concept Virus(CV) V.5 - Quick analysis update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BA76F2E.D775EDA7@defcom.com> Date: Tue, 18 Sep 2001 17:58:39 +0200 From: Olle Segerdahl <olle@defcom.com> To: bugtraq@securityfocus.com, incidents@securityfocus.com Subject: Concept Virus(CV) V.5 - Quick analysis update
More infectation routes:
The worm, upon infecting a new host, goes through all the
shared directories and their subdirecories and plants the
following files in each dir:
sample.nws
sample.eml
desktop.eml
desktop.nws
which are eml messages with copies of itself ("readme.exe")
autoloaded by a html script tag,
riched20.dll
which is a trojan dll version of itself probably designed
to infect people running notepad/wordpad in that dir.
It also infects htm/html/asp files all over the system with
a <SCRIPT> tag appendage that links to a readme.eml file in
the current directory, thus infecting more webservers and
even windows helpsystem and the IE "freindly" error messages.
The worm puts a trojan mmc.exe in the winnt directory that
is a copy of itself in the above "readme.exe" format.....
So in short: This thing spreads vi fileserver shares and
also infects all web content files it sees, it's EVIL.
/olle
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Steve Halligan: "Interesting Scan--Looks like a new worm."
- In reply to: Olle Segerdahl: "Concept Virus(CV) V.5 - Advisory and Quick analysis"
- Next in thread: Stuart Staniford: "A suggestion to Concept/Nimda analysts"
- Next in thread: Mark Challender: "RE: Concept Virus(CV) V.5 - Advisory and Quick analysis"
- Reply: Stuart Staniford: "A suggestion to Concept/Nimda analysts"
- Reply: Brian Pomeroy: "Re: Concept Virus(CV) V.5 - Quick analysis update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
