Re: lug-bg: E takowa cudo... e te tfa sha pomogne

[azbest@xxxxxxxxx (Ivan Donchev)]

Virus specific removal tool for I-Worm.Sircam.A
http://www.centralcommand.com/ts/00D709001aet/antisircam.exe

CENTRAL COMMAND - VIRUS WARNING - CodeRed.C (CodeRed II)   

***| CodeRed.C Internet Worm |***
Central Command has received many inquires about a new Internet 
worm that is similar to the original Code Red Internet worm that 
exploits a known vulnerability within Microsoft Internet 
Information Server (IIS). The exploit allows a self propagating 
Internet worm named "CodeRed.C" to access and penetrate a web 
server through the Indexing Services used by some versions of 
Microsoft IIS. Once the worm has penetrated a web server it is 
developed to install a back door remote administation utility on to 
the infected server and allow anyone to have full control over the 
server and its data.    

It is recommended that network administrators patch their systems 
Windows NT and Windows 2000 systems immediately against this 
exploit.     

Details:
Name : CodeRed.C 
Aliases: I-Worm.Bady, CodeRed.v3, Code RedII 
Type : Worm, IIS Server Exploit, and Backdoor 
Risk : High
Spreading: Wide 

Description:
The method of infection is the same with the former versions of the 
CodeRed worm. The worm uses a well known IIS (Internet Information 
Server) security hole, which exploits the ISAPI Indexing Service 
buffer overflow. Unlike Code Red, CodeRed.C does not attack any 
single IP or deface websites, rather it drops a backdoor on to the 
infected web server. Therefore, CodeRed.C contains a more malicious 
and damaging payload (this payload will leave infected victims 
vulnerable to any potential attacker accessing their webserver).    

After the worm gains control over the server, it searches out the 
memory address of the kernell32.dll which was loaded. If the 
operation succeeds, the worm finds the addresses of some other 
system functions that it will use in replication. First, it finds 
out the address of GetProcAdress which it uses to locate other 
funcions like: LoadLibrary, CreateThread, GetSystemDirectory...    

Then, the worm checks if the atom named "CodeRedll" exists in the 
system and if it does it suspends its execution (putting it in 
sleep mode). If it the CodeRedII atom was not set then the atom is 
created to prevent further infections. Once set, it checks the 
default language. If the System language is Chinese then it creates 
600 threads and if not only 300. These threads are used to infect 
other vulnerable systems. Through the generation of IP addresses 
the worm searches out other vulnerable systems.    

The worm also copies the file "cmd.exe" in the script folder of IIS 
and in "\system\MSADC" under the name of "root.exe". In this
way 
the infected system can be always accesed through a HTTP "GET" 
request to execute the "scripts\root".    

If the system date is October 2001 the worm restarts the system. 
The worm also creates a trojan which will run at every system 
startup "c:\explorer.exe" or "d:\explorer.exe"    

Central Command will be continually posting new information about 
this worm and its spreading rate as received. Last update August 5, 
2001.    

Microsoft has released a patch that eliminates this security 
vulnerability. The vulnerability exists in the Indexing Services 
used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, 
Windows 2000, and beta versions of Windows XP.    

For further information and to download a patch please read:    

Code Red Information: 
http://support.centralcommand.com/cgi-
bin/command.cfg/php/enduser/std_adp.php?p_refno=010720-000018

Microsoft Security Bulletin (MS01-033): 
http://www.microsoft.com/technet/security/bulletin/ms01-033.asp
 

Information about "Code Red" from Microsoft: 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/

itsolutions/security/topics/codered.asp

----- Original Message ----- 
  From: Kristo Komsalov 
  To: Linux BG 
  Sent: Tuesday, August 07, 2001 11:58 AM
  Subject: lug-bg: E takowa cudo nekoi wizdal li e

  Ot snosti edin potrebitel a dneska i wtori
  pocna da prasta mailowe prosto samo dokato raboti masinata
  "ne sym siguren dali ste stane i bez startiran OutlookExpres"
  Kym mailowete e prikacen nekoi goliam okolo 256K
  doc ili xls ot masinata na izprastaca
  prekrysten file.doc.bat ili file.xls.com.
  W tialoto na syobstenieto stoi 
  __________________________________________________

  Hi! How are you?
   
  I send you this file in order to have your advice
   
  See you later. Thanks

   

------------------------------------------------------------------------------

  Mai e wirus
  Tuko sto mi kazaha ce bili cuwali za nesto podobno

  Pozdravi Kristo

===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora