Slashdot Mirror

← Back to Stories (view on slashdot.org)

New (More) Annoying Microsoft Worm Hits Net

Posted by CmdrTaco on from the what-a-pain-in-the-arse dept.

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

4 of 1,163 comments (clear)

  1. Re:Mail servers down by Swordfish · · Score: 3, Offtopic
    It seems to me that it started at approximately 08:42 on Tuesday morning. I wonder what this means?!! I suspect this is not a coincidence.

    It has a very high probability of /16 hits as well as /8 hits.

    It's using about 50% of my modem bandwidth with about 20 IP addresses with port 80 active. It's so bad, I closed down most of my ports 80.

  2. Re:Destroy Islam. Exterminate All Muslims. Destroy by HermanBupkis · · Score: 0, Offtopic

    Don't be a dink, man.

    We are all upset about what the Terrorists did. But you don't have to be a wiener to a bunch of innocent people.

  3. Re:What's the problem? by re-geeked · · Score: 1, Offtopic

    If your software had a butt to scratch, it would...

    --
    "You can't get something for nothing." - my grandfather, on the stock market and Reaganomics.
  4. Re:Wrong name by Datafage · · Score: 1, Offtopic

    Mod this guy up!

    --

    Nicotine free Amish .sig.