Folks, If anyone has a packet capture of the infection in progress, would you please contact me. I would like to get it to the some of the Cisco IOS folks ASAP. (Not my official job, but would like to help.) Thanks!! Michael Airhart At 11:54 AM 9/18/2001 -0400, Eric Gauthier wrote:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China I've nailed a copy, and am working on getting it to the right security people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable web servers, and if it finds a vulnerable server, it causes anybody visiting that webpage to be offered a contaminated .exe as well. I do *NOT* have a handle on what malicious effects it has other than just propagating.
I work at a large university and our security guys think this guy is what's been causing us problems all morning. Lots of subnet scans (tons of incomplete arps), CC Mail servers are wacking out, HPOV noting that old 3Com gear is dropping etc. This is what I've heard through the rumor mill (so take it with a grain of salt)...
"...At first blush, it spreads itself via by web, email, and maybe shares. We've seen it spreading by a set of two HTTP requests. It will look for backdoors left behind by Code Red, such as /scripts/root.exe. It uses tftp to copy itself to the target machine then launches it via a second HTTP command."
Eric :)
-------------------------------------------------------------------------------------------------------- Michael Airhart 512/378-1246 Office Consulting Systems Engineer 413/480-1958 eFax Cisco Systems, Inc. 800/365-4578 Pager 12515 Research Blvd mairhart@cisco.com Austin, TX 78759