[Snort-users] IIS cmd.exe and unicode

Madden, Daniel Daniel.Madden at ...3956...
Wed Oct 31 02:09:02 EST 2001


A little more reading...

http://www.symantec.com/avcenter/venc/data/w32.nimda.e@...3071...

The major differences in this are, along with the filenames to filter are:
* The attachment received has been changed to: Sample.exe
* The dropped .dll file is now: Httpodbc.dll/cool.dll
* The worm now copies itself to the \Windows\System folder as Csrss.exe instead of Mmc.exe

Dan

-----Original Message-----
From: Bastian Ballmann [mailto:ballmann at ...3190...]
Sent: Wednesday, October 31, 2001 9:00 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] IIS cmd.exe and unicode


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi community!! =)
Does anyone know if nimba is still very active? Or if another worm is using 
the IIS cmd.exe and unicode exploit to spread?
Cause last night Snort detected a very high amount of those attacks...
Thanx and greets

Bastian Ballmann
@ Computational Design
- -- 
- ---:[ Keep the right to crypt!
\214^D^C^C^BM8¨^N^U,£B`É4ºÄ^L^@ÐBìóÁÀ!O½1CÍ^\MÜy±
ôæ]%\203\224ú^AKÇ8Ó^_ñ-GN^E\202=^[Ì^GÖlªÇ^Z\236\201
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjvfr3gACgkQ/X/Mmob5zke94gCeMtxMvggoS0A4Gxfna46w15iE
clYAniDmqkBFc+xQKwl22HXaHyPeV1HJ
=Gx6c
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




More information about the Snort-users mailing list