Re: lug-bg: E takowa cudo... e te tfa sha pomogne

[Ivan Donchev]

Virus specific removal tool for I-Worm.Sircam.A http://www.centralcommand.com/ts/00D709001aet/antisircam.exe CENTRAL COMMAND - VIRUS WARNING - CodeRed.C (CodeRed II)   ***| CodeRed.C Internet Worm |*** Central Command has received many inquires about a new Internet worm that is similar to the original Code Red Internet worm that exploits a known vulnerability within Microsoft Internet Information Server (IIS). The exploit allows a self propagating Internet worm named "CodeRed.C" to access and penetrate a web server through the Indexing Services used by some versions of Microsoft IIS. Once the worm has penetrated a web server it is developed to install a back door remote administation utility on to the infected server and allow anyone to have full control over the server and its data.    It is recommended that network administrators patch their systems Windows NT and Windows 2000 systems immediately against this exploit.     Details: Name : CodeRed.C Aliases: I-Worm.Bady, CodeRed.v3, Code RedII Type : Worm, IIS Server Exploit, and Backdoor Risk : High Spreading: Wide Description: The method of infection is the same with the former versions of the CodeRed worm. The worm uses a well known IIS (Internet Information Server) security hole, which exploits the ISAPI Indexing Service buffer overflow. Unlike Code Red, CodeRed.C does not attack any single IP or deface websites, rather it drops a backdoor on to the infected web server. Therefore, CodeRed.C contains a more malicious and damaging payload (this payload will leave infected victims vulnerable to any potential attacker accessing their webserver).    After the worm gains control over the server, it searches out the memory address of the kernell32.dll which was loaded. If the operation succeeds, the worm finds the addresses of some other system functions that it will use in replication. First, it finds out the address of GetProcAdress which it uses to locate other funcions like: LoadLibrary, CreateThread, GetSystemDirectory...    Then, the worm checks if the atom named "CodeRedll" exists in the system and if it does it suspends its execution (putting it in sleep mode). If it the CodeRedII atom was not set then the atom is created to prevent further infections. Once set, it checks the default language. If the System language is Chinese then it creates 600 threads and if not only 300. These threads are used to infect other vulnerable systems. Through the generation of IP addresses the worm searches out other vulnerable systems.    The worm also copies the file "cmd.exe" in the script folder of IIS and in "\system\MSADC" under the name of "root.exe". In this way the infected system can be always accesed through a HTTP "GET" request to execute the "scripts\root".    If the system date is October 2001 the worm restarts the system. The worm also creates a trojan which will run at every system startup "c:\explorer.exe" or "d:\explorer.exe"    Central Command will be continually posting new information about this worm and its spreading rate as received. Last update August 5, 2001.    Microsoft has released a patch that eliminates this security vulnerability. The vulnerability exists in the Indexing Services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP.    For further information and to download a patch please read:    Code Red Information: http://support.centralcommand.com/cgi- bin/command.cfg/php/enduser/std_adp.php?p_refno=010720-000018 Microsoft Security Bulletin (MS01-033): http://www.microsoft.com/technet/security/bulletin/ms01-033.asp Information about "Code Red" from Microsoft: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ itsolutions/security/topics/codered.asp ----- Original Message ----- From: Kristo Komsalov To: Linux BG Sent: Tuesday, August 07, 2001 11:58 AM Subject: lug-bg: E takowa cudo nekoi wizdal li e Ot snosti edin potrebitel a dneska i wtori pocna da prasta mailowe prosto samo dokato raboti masinata "ne sym siguren dali ste stane i bez startiran OutlookExpres" Kym mailowete e prikacen nekoi goliam okolo 256K doc ili xls ot masinata na izprastaca prekrysten file.doc.bat ili file.xls.com. W tialoto na syobstenieto stoi __________________________________________________   Hi! How are you?   I send you this file in order to have your advice   See you later. Thanks Mai e wirus Tuko sto mi kazaha ce bili cuwali za nesto podobno   Pozdravi Kristo