Here is exactly what it passes if anyone wants to verify there servers:
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/scripts/root.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/MSADC/root.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/c/winnt/system32/cmd.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/d/winnt/system32/cmd.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/syste
m32/
cmd.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/scripts/..��../winnt/system32/cmd.exe
[Tue Sep 18 13:28:09 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/scripts/..��../winnt/system32/cmd.exe
[Tue Sep 18 13:28:10 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/scripts/..�o../winnt/system32/cmd.exe
[Tue Sep 18 13:28:10 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 13:28:10 2001] [error] [client 216.54.168.17] File does not
exist: /
home/httpd/html/scripts/..%2f../winnt/system32/cmd.exe
----- Original Message -----
From: "Hrdy, Jim" <[EMAIL PROTECTED]>
To: "CF-Server" <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 1:34 PM
Subject: New Code Red like worm
> http:[EMAIL PROTECTED]
>
>
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0109&L=ntbugtraq&F=P
> &S=&P=1747
>
>
http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.shtml
>
> A new IIS worm is spreading rapidly. Its working name is Nimda:
> W32.nimda.a.mm
> It started about 9am eastern time today, Tuesday,September 18, 2001,
> Mulitple sensors world-wide run by TruSecure corporation are getting
> multiple hundred hits per hour. And began at 9:08am am.
> The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
> multiple vulnerabilities including:
> Almost all are get scripts, and a get msadc (cmd.exe)
> get_mem_bin
> vti_bin owssvr.dll
> Root.exe
> CMD.EXE
> ./ (Unicode)
> Getadmin.dll
> Default.IDA
> /Msoffice/ cltreq.asp
> This is not code red or a code red variant.
> The worm, like code red attempts to infect its local sub net first, then
> spreads beyond the local address space.
>
>
> James B. Hrdy
> MCP, MCP+I, MCSE, MCSE + Internet
> voice 913.317.8083 x206
> fax 913.317.8084
> pager [EMAIL PROTECTED]
> mobile 913 638 5279
> http://www.greensoft.com
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
