Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: HalbaSus (halbasus_at_go.ro)
Date: Tue Sep 10 2002 - 05:39:44 CDT
Yes, I read about this virus too. BUT:
These request apeared on 2 boxes. One is a cable hosted small mailserver (I'm
pretty sure it's not compromised), while the second box is my home dial-up
machine (I'm not even running apache all the time only when I do tests). Yet
the two ip's belong to the same ISP they don't have similar ip's.
The source IP's were different so was the time of the "attack"... Also, on my
dial-up box I had 3 request (comming at intervals of about 40 minutes) But
during this time my IP had changed (remember, dial-up dinamically alocated
ips). That's why I suspect some sort of scanner like action.
The other weird thing is that my dial-up box was "scanned" for b.cgi from 3
different countries (Brazil, Italy and Malayesia) at intervals of 40 minutes
(even if meanwhile I changed my IP).
Te get request is pretty weird:
GET /b.cgi?money&334671127&686C318B424C HTTP/1.1" 404 277 "-" "Mozilla
It might be encrypted but it looks like a pretty simple encriptyon to me (yet
I'm not a criptographer just guessing... )
The fact that the & sign is repeated makes me believe that actually there are
2 "encrypted" commands (if we're talking about the virus).
Now, I believe it's obvious that this virus/worm/whatever is scanning for
"b.cgi"... In the description of Frethem it says that it tries to connect to
a number of predefined hosts... Is this some new version with an included
scanner or something ?
Oh, one more interesting thing... I use to get daily like 2-3 e-mails "Hi,
your password" or "This is a good tool" etc... all of them trying to exploit
IFRAME and human stupidity (I'm running FreeBSD and KMail so I don't think
I'm infected or anything). BUT... I believe that other users from my ISP got
the very same message so... is it possible for a "worm" to open a daemon
sitting on 80 waiting for b.cgi inputs ? if it is... it's starting to make
sense. Some dude got infected but since he is on dial-up too the other
clients have to "scan" for it.
Btw, I checked the source IP's... 2 of them seem to be dial-up's one is cable
but was turned off... so they're probably home windows computers...
(nimda/codered/apache-worm type worms excluded since they would only
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com