Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: HalbaSus (halbasus_at_go.ro)
Date: Tue Sep 10 2002 - 05:39:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Yes, I read about this virus too. BUT:

    These request apeared on 2 boxes. One is a cable hosted small mailserver (I'm
    pretty sure it's not compromised), while the second box is my home dial-up
    machine (I'm not even running apache all the time only when I do tests). Yet
    the two ip's belong to the same ISP they don't have similar ip's.

    The source IP's were different so was the time of the "attack"... Also, on my
    dial-up box I had 3 request (comming at intervals of about 40 minutes) But
    during this time my IP had changed (remember, dial-up dinamically alocated
    ips). That's why I suspect some sort of scanner like action.

    The other weird thing is that my dial-up box was "scanned" for b.cgi from 3
    different countries (Brazil, Italy and Malayesia) at intervals of 40 minutes
    (even if meanwhile I changed my IP).

    Te get request is pretty weird:

     GET /b.cgi?money&334671127&686C318B424C HTTP/1.1" 404 277 "-" "Mozilla

    It might be encrypted but it looks like a pretty simple encriptyon to me (yet
    I'm not a criptographer just guessing... )

    The fact that the & sign is repeated makes me believe that actually there are
    2 "encrypted" commands (if we're talking about the virus).

    Now, I believe it's obvious that this virus/worm/whatever is scanning for
    "b.cgi"... In the description of Frethem it says that it tries to connect to
    a number of predefined hosts... Is this some new version with an included
    scanner or something ?

    Oh, one more interesting thing... I use to get daily like 2-3 e-mails "Hi,
    your password" or "This is a good tool" etc... all of them trying to exploit
    IFRAME and human stupidity (I'm running FreeBSD and KMail so I don't think
    I'm infected or anything). BUT... I believe that other users from my ISP got
    the very same message so... is it possible for a "worm" to open a daemon
    sitting on 80 waiting for b.cgi inputs ? if it is... it's starting to make
    sense. Some dude got infected but since he is on dial-up too the other
    clients have to "scan" for it.

    Btw, I checked the source IP's... 2 of them seem to be dial-up's one is cable
    but was turned off... so they're probably home windows computers...
    (nimda/codered/apache-worm type worms excluded since they would only
    penetrate webservers)

    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com