Subject: RE: [Snort-users] Code Green??? Date: Tue, 18 Sep 2001 14:23:16 -0400 From: "Missaghi, Shawn" To: snort-users@lists.sourceforge.net This is the preliminary information known at this time Symantec has received a number of submissions and has assessed this as a level 4 threat rating. There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email. In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment. Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares. http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html Increase in Port 80 (HTTP) scanning activity This morning (September 18th) the CERT/CC started receiving reports of a massive increase in scanning directed at port 80 (HTTP). Reports indicate that this scanning activity is attempting to exploit systems previously compromised by Code Red II and/or the sadmind/IIS worm as well as other known vulnerabilities in Microsoft Internet Information Server (IIS). Please see CERT Vulnerability Note VU#111677 for information on the type of vulnerability being exploited. The following is a log excerpt of this scanning activity: GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy stem32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir The CERT/CC has also received reports of a possibly new piece of malicious code named "readme.exe" being sent via email. Preliminary analysis indicates that this file may be related to the increase in port 80 scanning activity. Sites are encouraged to verify the state of security patches on all IIS servers and email client software. Administrators may also want to add filters to mail servers to block the "readme.exe" attachment. In addition, sites may wish to notify users of the existence of "readme.exe" and its potential threat.