Re: Unicode worm?

From: Dean White (dean@achillean.com.au)
Date: 08/22/02

• Previous message: Larsen, Colin: "RE: Unicode worm?"
• In reply to: Larsen, Colin: "RE: Unicode worm?"
• Next in thread: Kurt Seifried: "Re: Unicode worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 22 Aug 2002 05:09:26 +0000
From: Dean White <dean@achillean.com.au>
To: "Larsen, Colin" <colin.larsen@nz.unisys.com>

This is most likely the Nimda worm. The vulnerability the worm is attemting to
exploit is called the Unicode Web transversal exploit.

The worm is issuing a command to retrieve the directory listing of the C: drive.
It does this to determine if it can successfully execute the cmd.exe shell with
privledge.

This worm copies itself to the server as admin.dll via TFTP. The source of the
attack has a listening TFTP server to transmit the worm to the new system.

Hope this clears this up.

Cheers,
Dean

--------------------------------------------------------------------------------
Dean White dean@achillean.com.au
Technical Director http://www.achillean.com.au
Achillean Pty. Ltd.
"The integrity of your business is our business"
--------------------------------------------------------------------------------

On Thu, Aug 22, 2002 at 02:26:50PM +1000, Larsen, Colin wrote:
> I get this every day. Usually in batches of 8 to 16 probes. Mostly from
> China, Korea (even 2 nights of a couple of hundred probes from an Asian IT
> university!)I figure its a fact of life that anything attached to the big
> wide world is gonna get shot at.
>
> Colin.
>
> -----Original Message-----
> From: John Sage [mailto:jsage@finchhaven.com]
> Sent: Thursday, 22 August 2002 4:01 p.m.
> To: incidents@securityfocus.com
> Subject: Re: Unicode worm?
>
>
> Soeren, Keith:
>
> On Wed, Aug 21, 2002 at 07:43:00PM +0200, Soeren Ziehe wrote:
> > In article <51F912F2A6CDD111810A00600811BA42024D8BE9@TEA05> [21 Aug 02]
> > Turner, Keith (Contractor) <TurnerL@tea-emh1.army.mil> wrote:
> >
> > > [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was
> > > not complete after one pass. Request will be rejected. Site
> > > Instance='1', Raw URL='/scripts/..%255c%255c../winnt/system32/cmd.e
> > > xe'
> >
> > I'm seeing the same requests.
>
> I've recently seen several single-payload packet probes of the form:
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 08/11-02:27:44.357277 216.181.16.2:4723 -> 12.82.129.71:80
> TCP TTL:110 TOS:0x0 ID:26376 IpLen:20 DgmLen:99 DF
> ***AP*** Seq: 0x36AEB784 Ack: 0x71FD0774 Win: 0x2238 TcpLen: 20
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
> 35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy
> 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
> 63 2B 64 69 72 0D 0A 69 72 0D 0A c+dir..ir..
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> These have source IP's _not_ within my class B, or A; very quick,
> typically six to nine packets for the total transaction, and they're gone.
>
>
> - John
> --
> "You are in a little maze of twisty passages, all different."
>
> PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Larsen, Colin: "RE: Unicode worm?"
• In reply to: Larsen, Colin: "RE: Unicode worm?"
• Next in thread: Kurt Seifried: "Re: Unicode worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: "Code Red" worm questions ... but from other research we think the worm only tries to attack ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: ... (Incidents) RE: CodeRed ... >> plenty of attempts) but there is 0 chance that this worm will work ... >> exists on IIS. ... For more information on this free incident handling, management and tracking system please see: ... (Incidents) Re: Worm on 445/tcp? ... Subject: Worm on 445/tcp? ... >> and tracking system please see: ... (Incidents) Re: Code Red gone to sleep? ... "Before each attempt to connect to a new target, the worm ... >For more information on this free incident handling, management ... >and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: The x.c worm ... >> I was wondering if anyone has more information about this worm. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-08