lots more info...off bugtraq
----- Original Message -----
From: "Russ" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 10:21 PM
Subject: Alert: Some sort of IIS worm seems to be propagating
> -----BEGIN PGP SIGNED MESSAGE-----
>
> There have been numerous reports of IIS attacks being generated by
> machines over a broad range of IP addresses. These "infected"
> machines are using a wide variety of attacks which attempt to exploit
> already known and patched vulnerabilities against IIS.
>
> It appears that the attacks can come both from email and from the
> network.
>
> A new worm, being called w32.nimda.amm, is being sent around. The
> attachment is called README.EXE and comes as a MIME-type of
> "audio/x-wav" together with some html parts. There appears to be no
> text in this message when it is displayed by Outlook when in
> Auto-Preview mode (always a good indication there's something not
> quite right with an email.)
>
> The network attacks against IIS boxes are a wide variety of attacks.
> Amongst them appear to be several attacks that assume the machine is
> compromised by Code Red II (looking for ROOT.EXE in the /scripts and
> /msadc directory, as well as an attempt to use the /c and /d virtual
> roots to get to CMD.EXE). Further, it attempts to exploit numerous
> other known IIS vulnerabilities.
>
> One thing to note is the attempt to execute TFTP.EXE to download a
> file called ADMIN.DLL from (presumably) some previously compromised
> box.
>
> Anyone who discovers a compromised machine (a machine with ADMIN.DLL
> in the /scripts directory), please forward me a copy of that .dll
> ASAP.
>
> Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
> the following;
>
> edit %systemroot/system32/drivers/etc/services.
>
> change the line;
>
> tftp 69/udp
>
> to;
>
> tftp 0/udp
>
> thereby disabling the TFTP client. W2K has TFTP.EXE protected by
> Windows File Protection so can't be removed.
>
> More information as it arises.
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
