[rescue] New worm?
Derrick Daugherty
rescue at sunhelp.org
Wed Sep 19 20:56:29 CDT 2001
It's rumored that around Wed, Sep 19, 2001 at 09:44:26PM -0400
s at avoidant.org wrote:
> Patrick Giagnocavo wrote:
>
> > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278
> >
> > Definitely, one of my servers got over 3400 hits on this as of last
>
>
> 4567 here. I'm sort of afraid to pop my work e-mail after being out for
> two days. (I work for a web hosting company. Happily it's a Linux shop,
> but it still eats bandwidth at these volumes).
warning..it's smart enough to use some outlook/outlook express "feature"
that will infect your comp if it's even displayed in your 'preview' area
and not executed.
summary:
o Looks for left-over code red backdoors
o tries to exploit on it's own, same as code red and then some
o utilizes SirCam goodness and then some (aforementioned)
o once it infects an IIS server it alters the page to have a
javascript window.open "readme.eml"
o two file names are readme.eml and readme.exe and it's claiming to be
audio/x-wav
o umm..it's killing bandwidth..much 'nicer' today than it was all day
yesterday
I believe it's all existing holes, nothing new, just incorporated
together. a strings on the binary shows something about being from
China.
take a look at:
http://www.hackbusters.net/LaBrea/
SECTION 1 - What is it?
LaBrea is a program that creates a tarpit or, as some have called it, a
"sticky honeypot". LaBrea takes over unused IP addresses on a network
and creates "virtual machines" that answer to connection attempts.
LaBrea answers those connection attempts in a way that causes the
machine at the other end to get "stuck", sometimes for a very long
time.
^Derrick
More information about the rescue
mailing list