Slashdot Mirror

← Back to Domains

Domain: sarc.com

Stories and comments across the archive that link to sarc.com.

Comments · 64

  1. Effects of the worm on a university network, etc by Anonymous Coward · · Score: 0 · on New (More) Annoying Microsoft Worm Hits Net

    Got hit with a bunch of emails from some person I don't know with an attachment, no subject. I was checking through telnet to a UNIX server, so I just killed the files without much thought. A later telnet into the same system popped up a message that my university's off campus connection to the internet was bogged down by this Nimda worm. Traffic to the outside has been slow to nonexistant all day. I checked the dropbox I keep for my shared files, and sure enough there was a .eml file waiting for me. That got deleted, and the folder closed to outside access. I should know better than to allow guest write access, even to one directory. The rest of this system's pretty well locked down, and several manual scans show no sign of infection. This thing's so new there's still no information on how to remove it if you're infected in Symantec's database. They have, however, documented it's behavior, you can see it at Symantec's Page.

  2. Text of Newsbytes Article by Staciebeth · · Score: 0, Redundant · on New (More) Annoying Microsoft Worm Hits Net
    By Brian McWilliams, Newsbytes

    CAMBRIDGE, MASSACHUSETTS, U.S.A.
    18 Sep 2001, 11:18 AM CST

    A new, malicious worm targeting Microsoft Web servers is in the wild and is frenetically scanning the Internet, security experts said today.

    Starting this morning, numerous system administrators have observed a dramatic increase in probes from remote systems, according to reports on several mailing lists. The probes, coming sometimes hundreds per minute, appear to be attempting to access several commonly exploited files on sites running Microsoft's Internet Information Server.

    According to Johannes Ullrich, operator of the Dshield.org intrusion reporting service, the scans are already tying up some networks.

    "For the last few hours, systems are getting hammered with every IIS exploit on the book. Even though most of these exploits are useless, the bandwidth consumed is large," said Ullrich.

    Anti-virus researchers at Symantec have released a preliminary analysis of the worm, which they have dubbed "W32.Nimda.A@mm." According to the firm, besides scanning for vulnerable IIS systems, the worm appears to use e-mail to propagate itself, arriving in a file attachment named "readme.exe." The worm also opens up the computer's hard disk as a network share.

    According to Elias Levy, chief technology officer for SecurityFocus, the new worm is "very aggressive" and appears to be using elements of several earlier worms.

    Log files posted by participants in one mailing list reveal that infected systems attempt "Get" requests to more than a dozen files on target servers. Among the files is root.exe, a program created by two previous worms, Sadmind and Code Red II. Also targeted is cmd.exe, the command program or "shell" installed on all Windows NT systems. The scans also access a file called "admin.dll" which is used by Microsoft's FrontPage product.

    While the worm is likely only to infect IIS systems, its probes are consuming resources and bandwidth of all types of Internet-connected devices, according to reports from administrators.

    The Computer Emergency Response Team (CERT) said it has begun receiving reports today of a "massive increase in scanning directed at port 80."

    Ten days ago, malicious code experts identified a new self-propagating worm which they dubbed Code Blue. Because it exploits a nearly year-old flaw in Microsoft's IIS software known as the Web Server Folder Traversal vulnerability, experts said they did not expect Code Blue to spread widely.

    Symantec said Nimda appears to attempt to spread using the same vulnerability as Code Blue.

    In an advisory released Monday, the FBI's National Infrastructure Protection Center warned that it expects an increase in denial of service attacks from pro-American vigilantes in the wake of the terrorist attacks on New York and Washington, D.C., last week.

    Symantec's information on Nimbda is at
    http://www.sarc.com/avcenter/venc/data/w32.nimda.a @mm.html



    NIPC's advisory on potential denial of service attacks is at http://www.nipc.gov/warnings/advisories/2001/01-02 1.htm .



    Reported by Newsbytes, http://www.newsbytes.com .
    11:18 CST
    Reposted 11:47 CST

  3. Re:Worm Un-named no longer by Nate+Fox · · Score: 1 · on New (More) Annoying Microsoft Worm Hits Net

    Yup, thats the name alright, according to Symantec who has a preliminary write-up on it. Not much info now, but I'm sure it'll have more as the day progresses.

  4. Let me tell you a story... by Mr.+Bubbles712 · · Score: 1 · on Virus Scares and False Authority Syndrome

    After a short vacation from work, my cubical was decorated with 23 post-it notes. How Fun!!! Each one had a different "Virus" name on it.

    Well, I simply went to Cert and Norton's Virus Site to find out what was spoof, and what was true. And the next day, my Supervisor got a treat in his cube, all 23 post-it notes with the url from the respective place declaring it as a hoax. That was fun. And you know what, I have yet to see another post-it note in my cube again.

    On another note, I used to work for Office Max. And yes, I did tell people when I thought what they were discribing sounded like a virus. What did I tell them? Pick up a copy of a virus scanner, buy or download off the net, I didn't care. But I told them to do me one favor. Tell me what came of it. If they told me it didn't have a virus, then I told them to send it in. If they did have a virus, I kept a log of what virii were in town. And you know what, people still didn't believe me when I told them I don't have a virus scanner. And I use Win98, Win2k.

    (I know it sounds like I'm patting my self on the back, but trust me, there are good salespeople out there who are not just looking to make sales. So listen to what they say, and don't be an idiot. Some know what they are doing. Now that I'm done ranting, and raving, and this is moded down, I might be able to view the story)

  5. I think you're on to something... by Nate+Fox · · Score: 5, Informative · on Code Red III

    According to Symantec's page on CR2:

    Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C

  6. Re:Moron, Outlook has nothing to do with it by NutscrapeSucks · · Score: 2, Informative · on Hotmail Servers Shut Down by Code Red

    Yes, but unlike ILOVEYOU and so on, it doesn't send mail through outlook, and filtches addresses from other sources besides Outlook. It will fully affect any Win box that doesn't have Outlook installed.

    And according to this, it doesn't use Outlook APIs, but instead combs through the Windows address book (WAB file) looking for addresses (which is only used by Outlook in 'internet mode' and is used by Outlook Express, which certainly doesn't support Outlook's COM API). The fact that it doesn't grab Netscape or Eudora's address book is probably just lazyness on the author's part.

    Conclusion: Not a Outlook virus, except according to CmdrTaco.

  7. Already been talked about, already been done by plcurechax · · Score: 1 · on Fight Virus With Virus?
    It was already talked about in the Interesting People mailing list in reference to the book, Shockwave Rider.

    Been there, done that. The Cheese worm for Linux does basiclly the same sort of thing.

    Still it's a bad idea. For legal reasons: unauthorized is unauthorized even with good intent. For complexity reasons: the worm/ virus may break something else or have unintended conquences like the Robert Moore Jr. worm in the 1980s. Common sense: Encouraging bad system admin habits, that is to be lazy, is a very bad idea. Think of a silly analogy: like breaking in to fix a faulty burgary alarm is a bad idea.

  8. Outlook virus???? by WookieLNX · · Score: 2 · on Slashback: Mexico, Ukraine, Oceania

    Now, I swear I'm not trying to defend Microsoft on this, but this is NOT an Outlook virus. Do a little more research on the sircam worm, and you will find out that it will work at any address that it is sent to. The worm is a complete program in it self. It does not rely on Outlook to send mail for it, as the application has it's own SMTP server built in.

    Check out the following for more info on this really impressive... um I mean dangerous worm. http://sarc.com/avcenter/venc/data/w32.sircam.worm @mm.html

  9. Re:What do you tell someone who's got SirCam? by slutdot · · Score: 1 · on Slashback: Mexico, Ukraine, Oceania

    Symantec has a removal tool located here

  10. Re:solution: don't use outlook by schof · · Score: 1 · on Another Nasty Outlook Virus Strikes

    Someone said: Another virus that doesn't affect web-based email (not to mention pine or MacOS or whatever). Seems pretty clear that Outlook will continue to be exploited in new ways for the forseeable future.

    And then someone else replied: I don't know enough about it to determine the extent to which it can affect non-Outlook clients. I do know that, according to CNET, it does try other means of spreading as well.

    Although many virii and worms do rely on Outlook's crappy design and implementation of security issues, this one does not. (There doesn't seem to be any agreement between virus experts (I'm not one) whether SirCam is a worm or a virus. To me, it looks like a hybrid.)

    SirCam harvests e-mail addresses through two methods:

    • It will search through temporary HTML files (from your Internet Explorer cache only) and use any e-mail addresses it finds.
    • It will harvest addresses from *.WAB (Windows Address Book) files on your HD. (I'm not clear on what program uses *.WAB files. I use Eudora for my e-mail on my Windows computer, and although there is a *.WAB file on my system, it is empty.)
    According to the Symantec web site, the virus "contains its own SMTP server which is used for the email routine." It's not dependent on Outlook at all.

    References:
    http://www.sarc.com/avcenter/venc/data/w32.sircam. worm@mm.html.

  11. Re:Better Solution:Don't click everything! by baptiste · · Score: 2 · on Another Nasty Outlook Virus Strikes
    SARC lists the following ICQ virii in its I Index:

    • ICQ.81493.PWSteal
    • ICQ.82424.PWSteal
    • ICQ.Flooder
    • ICQ.PWS.Trojan
    • ICQ.Revenge.Trojan
    • ICQ.Trojan
    • ICQ2000
    • ICQPass

    Unfortuantely, SARC is uncharacteristically vague on these virii with very little info beyond "NORTON Anti-virus catches this" Time to check McAffee's and CERT :)

  12. Re:Better Solution:Don't click everything! by baptiste · · Score: 2 · on Another Nasty Outlook Virus Strikes
    SARC lists the following ICQ virii in its I Index:

    • ICQ.81493.PWSteal
    • ICQ.82424.PWSteal
    • ICQ.Flooder
    • ICQ.PWS.Trojan
    • ICQ.Revenge.Trojan
    • ICQ.Trojan
    • ICQ2000
    • ICQPass

    Unfortuantely, SARC is uncharacteristically vague on these virii with very little info beyond "NORTON Anti-virus catches this" Time to check McAffee's and CERT :)

  13. Re:Biased by SgtAaron · · Score: 1 · on MSIE Security Worsens: Patch Bungled
    You guys sound like nobody ever finds any holes in Linux.

    BIND?

    Man, BIND is not Linux. IE and Outlook Express are shipped with and tied into the operating system known as Windows. We give a set up CD with Netscape to our customers, but IE and Upchuck Express stay there; why risk a gotcha by uninstalling the OS's choice browser. Who knows what that will mess up?

    People installing multi-user operating systems with multiple services such as Linux are supposed to know what they need to do to secure the thing. I think many will agree that, in order to more tailor Linux for the masses (and I don't think that should be a prime focus, anyway, IMO), work needs done by vendors to provide locked down installations by default, and not install potentially dangerous software without active selection. The proliferation of inexperienced system administrators putting insecure linux boxen--machines open to trivial security breaches, that is--on the 'net is certainly a dilemma. Perhaps the demand for such talent is outstripping the available experience, especially in certain overseas (from me) locales, it would seem (my IDS shows most intrusion attempts and port scans coming from Asia these days). Anyway, I'm just speaking from anecdotal evidence here, and not using any hard data. So, back on topic:

    Microsoft, however, touts their OS as the choice for the masses, yet most day-to-day operations and the act of actively checking for security holes and getting patches is beyond the ability or willingness of most users.

    Bugs like this have serious implications for administrators and ISPs. Hey, when Joe User has problems upgrading to the latest version of IE to fix the security hole of the week, who do you think they call? Answer: their poor Internet Service Provider since MS support costs extra, and users have come to expect almost total support from their ISP for such things.

    Ask me how many double-bounces I wade through every day thanks to W95.Hybris.gen -- it ain't pretty ;-)

  14. Re:Next Version by dreamt · · Score: 1 · on New, More Destructive Love Bug Variant
    The changing subject line helps its messages avoid being deleted by the Spam filters, but since the message does not change, the user is not likely to thinkt that it actually came from the person it says it does. What these viruses need to do is examine the context of all of the messages in the user's Inbox that come from the individual who it is being sent to and generate a context-sensitive reply to that individual.

    From what I have read on Symantec's Page, this one does change. It adds random comments to the message that it is sending out. That makes scanning for an attachment all that much worse.