mgs
[Top] [All Lists]

OT: A new worm?

To: mgs@autox.team.net
Subject: OT: A new worm?
From: Eric <eric@erickson.on.net>
Date: Wed, 19 Sep 2001 03:51:11 +0930
With apologies, but this is likely to effect most of us (in one way or another):

Speaking of damn terrorists... for those tekkies out there, we are being
SLAMMED by what looks like a new, maybe MORE-violent-than-CodeRed worm.

Check out

http://www.incidents.org/alert.php

and check your machines.

"Evidently, a new worm is the source of the activity. Once the worm gains
access to a vulnerable IIS webserver, it uses tftp to fetch a binary
called  Admin.dll.octet from the infecting host. An example packet capture
is below (see website http://www.incidents.org/alert.php )"

"Also, connecting to an attacking webserver using a web browser results in
a attempt to download an executable called readme.eml. Reports indicate
that IE5 will automatically execute the binary." 


We are all up at 03:50 (Central Australian Time) working on it.


Eric

///
///  mgs@autox.team.net mailing list
///  or try http://www.team.net/cgi-bin/majorcool
///


<Prev in Thread] Current Thread [Next in Thread>
  • OT: A new worm?, Eric <=