Slashdot Mirror

← Back to Stories (view on slashdot.org)

New (More) Annoying Microsoft Worm Hits Net

Posted by CmdrTaco on from the what-a-pain-in-the-arse dept.

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

2 of 1,163 comments (clear)

  1. 'Fuck USA' is sadmind by Gambit+Thirty-Two · · Score: 4, Insightful

    The 'Fuck PoisonBox' you're getting is due to the Sadmind virus.

    More at:
    http://www.symantec.com/avcenter/venc/data/backdoo r.sadmind.html

  2. Re:How to stop Internet Explorer executing said wa by platypus · · Score: 4, Insightful

    NO! Here's what wget showed me for one host:

    [message/rfc822]

    So this thing is really evil:

    1. it uses many forms of attack
    2. it attacks server _and_ clients
    3. it propagates by tftping the load from altering hosts (probably from the host which
    did the attack before)
    4. it alters the content type for the client infection via http+IE