[NTLUG:Discuss] Virus/worm update from Sterling Commerce security team

[Chris Cox]

I did not write the following... all I can say is time to uninstall
Windows :-)

(the rest is from our security team here... it comes with no
warranty whatsoever!!  The information is not guranteed to be
accurate or useful in any way.  If any of this information causes
you to do ANYTHING, Sterling Commerce cannot be held responsible
for any outcome of that.)

1. Worm is a Unicode based attack on IIS servers. Like RedWorm but uses
a Unicode variant to mask attack.  IT TROJANS THE IIS SERVER SUCH THAT A
EML FILE IS DELIVERED TO EVERYONE WHO GGOES TO ANY PAGE ON THE INFECTED
IIS BOX.

2. The eml file is automatically executed at the client side. This is
automatic per Microsolved discussion with Microsoft.
Fix is at least 24 hours out.

3. EML file execution installs a readme.exe root kit.

4. That kit

   1. spreads itself via port 80 and 443 scans looking for new
      IIS boxes to infect.
      NOTE NOW THAT WORM IS INSIDE AND CAN SEE INTERNAL SERVERS.
   2. Shares the C: drive
   3. Spreads itself via outlook - .eml AND .WAV
      (Block both of these)
   4. spreads via fileshares
   5. possibly manipulates wininit.ini
   6. tftp's outbound to various sites to download a admi.dll file.
   7. possibly manipulates mmc.exe

5.  This is affecting the WHOLE Internet

6. We are blocking ALL outbound port 80 and 443 to prevent web surfing
from bringing in the worm.

7. We are blocking .wav and .eml at Exchange servers.

Look for readme.eml and readme.exe and admin.dll files.
Do a netstat -an | more
If you see a second to left column with 10-30 <IP address>:80 SYN_SENT
going to various sites that make no sense -
you likely have it. Shut down.