We have an article by Michelle Delio here:
http://www.wired.com/news/technology/0,1282,46944,00.html
**********
From: "Magdalena Donea" <maggy_at_kia.net>
To: <declan_at_well.com>
Subject: RE: Voracious, nasty new "Code Red" worm may be spreading quickly
Date: Tue, 18 Sep 2001 15:57:16 -0400
In-Reply-To: <5.0.2.1.0.20010918114801.01ff1040_at_mail.well.com>
Declan,
The best description of namda I've seen so far is here:
http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
Yes, only Windows systems are affected, but this time this includes Windows
desktops, servers, etc., whether running IIS or not (unlike Code Red).
Viewing a page from an infected IIS server may be enough to infect a desktop
system, because of the applet the virus launches. The "swiss army knife"
analogy in the article above is really good. Of course, regardless of O/S
brand you use, the collateral damage is still high, in terms of the high
level of traffic this thing is producing.
Among all our client servers, the earliest instance of a hit came at 6:10am
EDT today from Belgium:
XXXX.uunet.be - - [18/Sep/2001:06:10:53 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.
exe?/c+dir%20c:\ HTTP/1.0" 404 2550 "-" "Mozilla/4.0 (compatible; MSIE 5.5;
Windows NT 5.0)"
... thought I'd pass it on, hope it's useful.
--Maggy
_________________________
KIA.NET Technical Support
help_at_kia.net
_________________________
**********
To: declan_at_well.com
Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly
From: pb_at_e-scribe.com (Paul Bissex)
Date: Tue, 18 Sep 2001 16:19:18 -0400
A few URLs on this worm ("Nimda"):
http://www.newsbytes.com/news/01/170225.html
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
http://slashdot.org/articles/01/09/18/151203.shtml
Newsbytes calls it "Code Rainbow," but I don't see anybody else using
that name.
Apparently the 16 holes it attempts to exploit are all well-known, and
anybody with a properly patched IIS should be fine. (However, I Am Not
A Security Expert.)
best
pb
**********
Date: Tue, 18 Sep 2001 15:54:10 -0400
From: Ken Deutsch <deutsch_at_idi.net>
To: declan_at_well.com
Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly
Declan McCullagh wrote:
>[BTW I'm seeing similar attempts on Politech's website. Remember, folks,
>Code Red and its progeny only infect Windows systems. --Declan]
Declan -
While it only "infects" Windows systems, unlike code red this one is having
an impact on other systems. Rather then a couple of accesses to a site -
the speed of accesses to servers is much greater. We run web servers on Sun
with Apache and have had over 50 sites being attacked since 9:06 am with
tens of thousands of hits looking for files that only exist on unpatched NT
servers. I concur with the message below that the accesses come at a
ferocious rate.
- Ken
**********
From: "Glen L. Roberts" <glr_at_glr.com>
To: <declan_at_well.com>
Subject: Re: Voracious, nasty new "Code Red" worm may be spreading quickly
Date: Tue, 18 Sep 2001 15:55:21 -0400
So far, I've seen 15,000+ hits in my apache logs files for accesses to .exe
files (no normal traffic would request a .exe file)... that is definitely
much heavier traffic than code red had.
**********
Date: Tue, 18 Sep 2001 20:53:12 +0100
To: declan_at_well.com
From: John Sullivan <lists_at_benzo8.org>
Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading
quickly
At 04:48 PM 18/09/2001, you wrote:
>[BTW I'm seeing similar attempts on Politech's website. Remember, folks,
>Code Red and its progeny only infect Windows systems. --Declan]
>Here's a snippet from the Apache error log; this appears to constitute
>the signature of this worm:
>
>A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /scripts/root.exe?/c+dir
>HTTP/1.0" 404 270
>So far, all hits have come in groups of 16 and appear to be directed at
>exploiting a vulnerability that's presumably found on Windows systems
>running IIS. They also *seem* to be largely localized, that is, the
>IP addresses of the incoming probes are related to the IP addresses of
>the systems being targeted.
Declan,
Looking at this log except, what the new worm is attempting to do is
contact the backdoor left by CodeRed II. This, of course, doesn't imply
that the same author wrote both viruses - it was a fairly well publicised
backdoor after all - but it's interesting (from an academic point of view)
that this virus takes a leg-up from a previous infection.
This does, for course, mean that this virus not only only affects Windows
systems as you said, but also only affects Windows systems previous
infected by CodeRed II.
**********
From: "Glen L. Roberts" <glr_at_glr.com>
To: <declan_at_well.com>
References: <5.0.2.1.0.20010918114801.01ff1040_at_mail.well.com>
Subject: Re: Voracious, nasty new "Code Red" worm may be spreading quickly
Date: Tue, 18 Sep 2001 16:03:39 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
You don't suppose it's smart enough to follow a redirect, ie:
in .htaccess
redirect /scripts http://www.microsoft.com
redirect /c http://www.microsoft.com
redirect /d http://www.microsoft.com
redirect /MSACD http://www.microsoft.com
redirect /msacd http://www.microsoft.com
**********
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------
Received on Sep 18 2001
Intro
