Sep 19, 2001
532 Vues
0 0

Nouveau Worm Nimda

Ecrit par

Un nouveau vers découvert : source des infos mailing list securityfocus.org – en complément de l’article ci-dessous et parce que la situation semble plus grave que pour code-red :



Ce worm lance +/- un 15aine d’attaque par machine scannée (je vous laisse imaginer le traffic rezo 😉

Quand M$ prendra-t-il ses responsabilités vis-à-vis de ce fiasco qu’est IIS ;p



This is not good. http://www.amariplastics.com/ tries to

run/download the readme.eml worm/trojan/thing when you browse it.

It looks like their website has been tampered with or something as

the last 3 lines of the HTML source read:

















which does exactly what it look like.





Please be careful, one of the chaps here said it AUTOMATICALLY

downloaded and ran the file. My machine asked me what to do. I said

CANCEL, and so should you.






A couple things I seem to be seeing:

Infected hosts do what appears to be a netscan. Infected hosts produce an

INSANE amount of ARP traffic. Also I’m keying on the following file

searches:





mmc.exe

*.eml

root.exe



So far I seem to be finding the infected machines. Can anyone else out there

confirm the ARP traffic correlation?






We obtained a virus update from Symantec and started scanning our systems.


Norton Anti-Virus has been finding numerous infected exe’s including

wordpad.exe and many other executables. 🙁

NAV is unable to clean the files and can only quarantine them 🙁

Enjoy rebuilding your servers 🙁





Catégorie:
News

Laissez un commentaire

Menu Title