[Snort-users] IIS cmd.exe and unicode

Madden, Daniel Daniel.Madden at ...3956...
Wed Oct 31 02:07:03 EST 2001


Here is a message from BUGTRAQ:

////////////////  Message  /////////////////
A new version of Nimda (Nimda.E) is slowly propagating, both in email and
via the web. It appears to be exploiting the same vulnerabilities Nimda did
(MS00-060/MS00-078).

Via email it comes as either sample.eml, or sample.exe, and when it executes
it still drops riched20.dll, but now tries to download httpodbc.dll and
cool.dll. HTTP GETs include TFTP gets of these .dlls.

Httpodbc.dll is common on IIS systems and is included in Windows File
Protection (which won't prevent a Trojan copy from being dropped into
directory other than \%systemroot%\system32\inetsrv). Cool.dll is common on
Windows 98 boxes but not NT 4.0 or Windows 2000.

IIS spreading is extremely slow at this point, we can only speculate as to
why. IIS boxes may be patched or disconnected.

Critical now is to ensure that you have updated your IE Browser to ensure
you're not running one that's vulnerable to MS01-020. You should be running
IE 5.01 SP2, IE 5.5 SP2, or IE 6.0 to be sure you're not vulnerable, or
apply the MS01-027 patch (which supercedes MS01-020).

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

////////////////  Message  /////////////////

Hope this helps!

Dan

-----Original Message-----
From: Bastian Ballmann [mailto:ballmann at ...3190...]
Sent: Wednesday, October 31, 2001 9:00 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] IIS cmd.exe and unicode


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi community!! =)
Does anyone know if nimba is still very active? Or if another worm is using 
the IIS cmd.exe and unicode exploit to spread?
Cause last night Snort detected a very high amount of those attacks...
Thanx and greets

Bastian Ballmann
@ Computational Design
- -- 
- ---:[ Keep the right to crypt!
\214^D^C^C^BM8¨^N^U,£B`É4ºÄ^L^@ÐBìóÁÀ!O½1CÍ^\MÜy±
ôæ]%\203\224ú^AKÇ8Ó^_ñ-GN^E\202=^[Ì^GÖlªÇ^Z\236\201
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjvfr3gACgkQ/X/Mmob5zke94gCeMtxMvggoS0A4Gxfna46w15iE
clYAniDmqkBFc+xQKwl22HXaHyPeV1HJ
=Gx6c
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




More information about the Snort-users mailing list