[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) Code Rainbow Worm

To: debate@lists.fitug.de
Subject: [FYI] (Fwd) Code Rainbow Worm
From: "Axel H Horns" <horns@ipjur.com>
Date: Tue, 18 Sep 2001 20:08:01 +0200

------- Forwarded message follows -------
Date sent:      	Tue, 18 Sep 2001 10:38:06 -0700
Send reply to:  	Law & Policy of Computer Communications
             	<CYBERIA-L@LISTSERV.AOL.COM>
From:           	Robert Cannon <rcannon100@YAHOO.COM>
Subject:        	Code Rainbow Worm
To:             	CYBERIA-L@LISTSERV.AOL.COM

The entire article may be viewed at
http://www.newsbytes.com/news/01/170225.html

Code Rainbow Loose In The Wild - Security Experts

By Brian  McWilliams, Newsbytes
CAMBRIDGE, MASSACHUSETTS, U.S.A.,
18 Sep 2001, 11:18 AM CST

A new, malicious worm targeting Microsoft Web servers
is in the wild and is frenetically scanning the
Internet, security experts said today.

Starting this morning, numerous system administrators
have observed a dramatic increase in probes from
remote systems, according to reports on several
mailing lists. The probes, coming sometimes hundreds
per minute, appear to be attempting to access several
commonly exploited files on sites running Microsoft's
Internet Information Server.

According to Johannes Ullrich, operator of the
Dshield.org intrusion reporting service, the scans are
already tying up some networks.

"For the last few hours, systems are getting hammered
with every IIS exploit on the book. Even though most
of these exploits are useless, the bandwidth consumed
is large," said Ullrich.

Anti-virus researchers at Symantec have released a
preliminary analysis of the worm, which they have
dubbed "W32.Nimda.A@mm." According to the firm,
besides scanning for vulnerable IIS systems, the worm
appears to use e-mail to propagate itself, arriving in
a
file attachment named "readme.exe." The worm also
opens up the computer's hard disk as a network share.

According to Elias Levy, chief technology officer for
SecurityFocus, the new worm is "very aggressive" and
appears to be using elements of several earlier worms.

Log files posted by participants in one mailing list
reveal that infected systems attempt "Get" requests to
more than a dozen files on target servers. Among the
files is root.exe, a program created by two previous
worms, Sadmind and Code Red II. Also targeted is
cmd.exe, the command program or "shell" installed on
all Windows NT systems. The scans also access a file
called "admin.dll" which is used by Microsoft's
FrontPage product.

While the worm is likely only to infect IIS systems,
its probes are consuming resources and bandwidth of
all types of Internet-connected devices, according to
reports from administrators.

The Computer Emergency Response Team (CERT) said it
has begun receiving reports today of a "massive
increase in scanning directed at port 80."

Ten days ago, malicious code experts identified a new
self-propagating worm which they dubbed Code Blue.
Because it exploits a nearly year-old flaw in
Microsoft's IIS software known as the Web Server
Folder Traversal vulnerability, experts said they did
not expect Code Blue to spread widely.

Symantec said Nimda appears to attempt to spread using
the same vulnerability as Code Blue.

In an advisory released Monday, the FBI's National
Infrastructure Protection Center warned that it
expects an increase in denial of service attacks from
pro-American vigilantes in the wake of the
terrorist attacks on New York and Washington, D.C.,
last week.

Symantec's information on Nimbda is at

http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html

NIPC's advisory on potential denial of service attacks
is at
http://www.nipc.gov/warnings/advisories/2001/01-021.htm

.

Reported by Newsbytes, http://www.newsbytes.com .

11:18  CST
Reposted 11:47  CST

(20010918/WIRES TOP, ONLINE, LEGAL/CODERAINBOW/PHOTO)

) 2001 Post Newsweek Tech Media Group

=====
~ Washington Internet Project ~
~    www.cybertelecom.org     ~
~  cannon(at)cybertelecom.org ~

__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

**********************************************************************
For Listserv Instructions, see http://www.lawlists.net/cyberia
Off-Topic threads: http://www.lawlists.net/mailman/listinfo/cyberia-ot
Need more help? Send mail to: Cyberia-L-Request@listserv.aol.com
**********************************************************************
------- End of forwarded message -------

Prev by Date: EPÜ-Revision: neuer Anlauf 2002-06-10 (?)
Next by Date: Re: [FYI] (Fwd) Code Rainbow Worm
Prev by thread: EPÜ-Revision: neuer Anlauf 2002-06-10 (?)
Next by thread: Re: [FYI] (Fwd) Code Rainbow Worm
Index(es):
- Date
- Thread