RE: New Virus / Worm ??

John Allhiser Tue, 18 Sep 2001 12:34:56 -0700
>From another list:

09/18/01
Virus Alert

Be on the alert for an email borne virus with the following characteristics:

Name of attachment: README.EXE

Description:
This is the preliminary information known at this time.
There is a new mass-mailing worm that utilizes email to propagate itself.
The threat arrives as readme.exe in an email.

In addition, the worm sends out probes to IIS servers attempting to spread
by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm.
Compromised servers may display a webpage prompting a visitor to download an
Outlook file which contains the worm as an attachment.

Also, the worm will create an open network share allowing access to the
system. The worm will also attempt to spread via open network shares.

___________________________________________________________

>From what I've read, others are sandboxing their infected servers, and deleting
the .eml files.  Then there's this:
_______________________________________________________________
National Infrastructure Protection Center 

"Potential Distributed Denial of Service (DDoS) Attacks"

Advisory 01-021

17 September 2001

The National Infrastructure Protection Center (NIPC) expects an increase in
Distributed Denial of Service (DDoS) attacks. NIPC Advisory 01-020,
"Increased Cyber Awareness" dated September 14, 2001 warned of threatened
vigilante hacking activity against organizations associated with the
perceived perpetrators of the September 11, 2001 terror attacks. 

On September 12, 2001, a group of hackers named the Dispatchers claimed they
had already begun network operations against information infrastructure
components such as routers. The Dispatchers stated they were targeting the
communications and finance infrastructures. They also predicted that they
would be prepared for increased operations on or about Tuesday, September
18, 2001. 

There is the opportunity for significant collateral damage to any computer
network and telecommunications infrastructure that does not have current
countermeasures in place. The Dispatchers claim to have over 1,000 machines
under their control for the attacks. It is likely that the attackers will
mask their operations by using the IP addresses and pirated systems of
uninvolved third parties. 

System administrators are encouraged to check their systems for zombie agent
software and ensure they institute best practices such as ingress and egress
filtering. The NIPC has made available the "Find DDoS" tool to determine if
your computer has been infected by the most common DDoS agents. The tool may
be downloaded from the following website:

http://www.nipc.gov/warnings/advisories/2000/00-055.htm. 

Additionally, a list of best practices is available from the CERT/CC
website, located at:

http://www.cert.org/security-improvement. 

Recipients of this advisory are encouraged to report computer intrusions to
me at either the email address or telephone number below, or NIPC, and to
other appropriate authorities. Incidents may be reported online at
http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can
be reached at (202) 323-3204/3205/3206 or [EMAIL PROTECTED]

    Recipients of this message are authorized to forward this Advisory to
associates within your organization, as well as others deemed appropriate.




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 2:49 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??


I've got a file server with a bunch of .eml files - desktop.eml fax1.eml
2.eml professional.eml etc. - all created at the same time in various
subdirectories of a public share & all the same size & all owned by the same
person.

That sounds suspiciously like this, but I can't find anything definitive
about these damn .eml files!! 

-Mich�le
Immigration site:  <http://LadySun1969.tripod.com>
Our new 2001 Miata:  <http://members.cardomain.com/bpituley>
Tiggercam:  <http://www.tiggercam.co.uk>
---------------------------------------------------------
The fact that no one understands you doesn't mean you're an artist. 
---------------------------------------------------------


-----Original Message-----
From: John Allhiser [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 3:39 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??


I believe readme.eml is loaded to an infected IIS website as an attachment
to
every page in the site.
When the infected site is accessed, it is downloaded as an .exe  
 
This is what I see on securityfocus.com and the noted anti-virus sites.

John Allhiser MCSE CCNA
Network Engineer
Business Men's Assurance

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 2:37 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??


has anybody seen anything Official about the .eml files?  I've just heard
anecdotal evidence about them.  

-Mich�le
Immigration site:  <http://LadySun1969.tripod.com>
Our new 2001 Miata:  <http://members.cardomain.com/bpituley>
Tiggercam:  <http://www.tiggercam.co.uk>
---------------------------------------------------------
Why do they put pictures of criminals up in the Post Office?  What are we
supposed to do . . . write to these men? Why don't they just put their
pictures on the postage stamps so the mailmen could look for them while they
delivered the mail? 
---------------------------------------------------------


-----Original Message-----
From: Daniel Deward [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 3:37 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??


If you block EXE's there is no need to wait for updates.  For more
information, visit http://www.cmsconnect.com

Dan


-----Original Message-----
From: Pfefferkorn, Pete (PFEFFEPE) [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, September 18, 2001 3:16 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??

Yes, NAI released an extra.dat  Still waiting for trend to put out an
update.  

Pete Pfefferkorn
Senior Systems Engineer/Mail Administrator
University of Cincinnati
51 Goodman Street
Cincinnati, OH  45221
Phone - (513) 556-9076
Fax -     (513) 556-2042


-----Original Message-----
From: Etts, Russell [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 2:51 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??


Does anyone have any more info on this??

Does NAI have an update?  I can't get through to them.

Thanks

Russell

-----Original Message-----
From: John Bricher [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:33 PM
To: Exchange Discussions
Subject: RE: New Virus / Worm ??


On the servers that were infected at our company, we found a mmc.exe that
was running in c:\winnt.  This appeared to be regenerating the readme.eml
files.  We killed the process, deleted the file, and deleted the .eml files.
This appears to have worked for now.

Not sure how to stop it from happening again.


John Bricher
Windows NT Engineer
Cybear, Inc.
561-999-3549
[EMAIL PROTECTED]



_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]
RE: New Virus / Worm ??

Reply via email to
