DoS.Storm.Worm infects IIS systems then launches DoS against www.microsoft.com
Oh my goodness... here is the latest
'smart' trojan that was discovered in the wild on June 6th and for which the
advisory is out on June 7th. DoS.Storm.Worm is a worm that seeks out
Microsoft Internet Information Services
(IIS) systems that have not applied the
proper security patches. Any such systems that it finds are then infected with the worm. The payload of this worm performs a denial of service attack on http://www.microsoft.com ...The Full Advisory from Symantec is below...
DoS.Storm.Worm
Discovered on: June 6, 2001Last Updated on: June 7, 2001 at 12:39:59 PM CEDT
DoS.Storm.Worm is a worm that seeks out Microsoft Internet Information Services (IIS) systems that have not applied the proper security patches. Any such systems that it finds are then infected with the worm. The payload of this worm performs a denial of service attack on http:/ /www.microsoft.com
Category: Worm
Virus Definitions: June 6, 2001
Wild:
Low
Medium
Medium
- Number of infections: 0 - 49
- Number of sites: 0 - 2
- Geographical distribution: Low
- Threat containment: Easy
- Removal: Easy
- Payload: A denial of sevice attack is initiated against http://www.microsoft.com
- Large scale e-mailing: An email bombing session is started that sends emails to gates@microsoft.com with the text "Fuck you!"
- Degrades performance: Network performance may suffer seriously
- Target of infection: Microsoft IIS installations (versions 4 and 5) that do not have the security patches installed to cover the "Web Server Folder Traversal" security vulnerability
When this worm is run, it sets up a server FTP thread and starts to scan 10,000,000 IP addresses in an attempt to find a vulnerable system at one of the targeted addresses. The vulnerable systems that it targets are Microsoft IIS installations (versions 4 and 5) that do not have the security patches installed to cover the "Web Server Folder Traversal" security vulnerability as described in http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Additional advice on securing IIS web servers is available from:
http://www.microsoft.com/technet/security/iis5chk.asp
http://www.microsoft.com/technet/security/tools.asp
When the worm finds a vulnerable system, it copies itself to the targeted system and sets it up to automatically run the worm, effectively making that system a zombie that participates in the hacker's e-war. To make sure that the worm is run on next system startup, the worm adds the value
666 c:winntsystem32stormstart.bat
to the registry keys
HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRunServices
and
HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRun
This worm has two payloads:
- A denial of service attack is initiated against http:/ /www.microsoft.com.
- An email bombing session is started that sends email messages containing an obscene message to gates@microsoft.com.
Delete all files that are detected as DoS.Storm.Worm and remove the added registry values.
Write-up by: Andre Post