From: Christopher Misra <[log in to unmask]> To: [log in to unmask] Subject: [unisog] Concept Virus(CV) V.5 - Advisory and Quick analysis (fwd) Date: Tue, 18 Sep 2001 15:44:00 GMT X-Mailer: CorporateTime Outlook Connector 3.1 (R.3.1.3.0815) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi, Forwarded from the incidents list at securityfocus. = - Chris ------- Forwarded Message Message-ID: <[log in to unmask]> Date: Tue, 18 Sep 2001 16:47:00 +0200 From: Olle Segerdahl <[log in to unmask]> X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: [log in to unmask], [log in to unmask] Subject: Concept Virus(CV) V.5 - Advisory and Quick analysis Content-Type: text/plain; charset=3Dus-ascii Content-Transfer-Encoding: 7bit -- Hi all! We've all just been hit by a VERY aggressive worm/virus. Quick analysis indicates that it propagates itself in a number of different ways: Through use of IIS UNICODE direcory traversal coupled with the recent IIS .dll privilege escalation attack. It uses SMB/CIFS and TFTP to get the worm payload. Through MAPI mails (probably to all of addressbook). Other ways of spreading may be possible, but we haven't = yet had the time to properly analyse the worm/virus. It seems to share "c:\" via SMB/CIFS as "c$" and the worm/virus also adds the "Guest" user and "Guests" group to the local "Administrators" group.... Interesting strings in binary: Concept Virus(CV) V.5, Copyright(C)2001 R.P.China SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=3Dc:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add net More info as we come upon it..... /olle - -------------------------------------------------------------------------= --- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management = and tracking system please see: http://aris.securityfocus.com ------- End of Forwarded Message -- = Christopher Misra Network Analyst = OIT/Network Systems and Services LGRC A153 University of Massachusetts Amherst, MA 01003 E-mail: [log in to unmask]