lfnetwork.com mark read register faq members calendar

Thread: Code Red: Train Crash To Blame
Thread Tools Display Modes
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Old 08-02-2001, 08:57 PM   #1
CaptainRAVE
Jedi Rave
 
CaptainRAVE's Avatar
 
Join Date: May 2001
Posts: 4,272
Post Code Red: Train Crash To Blame

The panic caused by the worm Code Red is now being blamed on a train crash. The disruption felt on the net is being associated with a Baltimore train crash on July 18 which damaged key wirings used by major Internet providers.

The train crash, which resulted in a tunnel fire, happened as Code Red was starting to become active, making people assume the disruption was caused by the worm. Now net monitoring experts conclude the worm was “never a threat”.

Saying the 19 July Internet slowdown was definitely not caused by the worm, Keynote, a security firm, adds that Code Red had little effect on net traffic even at its activity peak.


The force will betray you to me.
CaptainRAVE is offline   you may: quote & reply,
Old 08-02-2001, 09:06 PM   #2
matt--
Network Un-exploder
 
matt--'s Avatar
 
Status: Administrator
Join Date: May 2001
Posts: 3,573
LFN Staff Member Notable contributor 
Post

hmmm interesting.

How did you guys that live in australia fare?

I mean with connecting to out-of-US servers.

I really didn't notice a slow down at all.


LFNetwork and LucasForums.com
matt at lfnetwork dot com
matt-- is offline   you may: quote & reply,
Old 08-02-2001, 10:31 PM   #3
Wilhuf
Senior Member
 
Wilhuf's Avatar
 
Join Date: May 2001
Location: Galactic Plumberman Alliance -
Posts: 1,125
Post

Well, the cause of the accident hasn't yet been determined, but speculation is that a ruptured water main may be the culprit. See the Washington Post Article.

Meanwhile, I didn't notice any net slowdown at all during the so-called code red attacks.


Wilhuf

Never give in--never, never, never, never, in nothing great or small, large or petty, never give in except to convictions of honour and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy.

Winston Churchill, 1941.
Wilhuf is offline   you may: quote & reply,
Old 08-02-2001, 11:01 PM   #4
Kurgan
Guest
 
Posts: n/a
Thumbs down

Never got code red, but I got a zillion people sending me "sircam" over the last week or so.. ; p

Kurgan
  you may: quote & reply,
Old 08-02-2001, 11:06 PM   #5
matt--
Network Un-exploder
 
matt--'s Avatar
 
Status: Administrator
Join Date: May 2001
Posts: 3,573
LFN Staff Member Notable contributor 
Post

You only get code red if you are running an unpatched version of ms's IIS.

On top of that, it only stays until shutdown.


LFNetwork and LucasForums.com
matt at lfnetwork dot com
matt-- is offline   you may: quote & reply,
Old 08-02-2001, 11:35 PM   #6
acdcfanbill
..the wonders I have seen
 
acdcfanbill's Avatar
 
Status: Super Moderator
Join Date: Jun 2001
Location: Random Hell Wholes around the
Posts: 5,697
Imperialist Meatbags Guild Member The Walking Carpets Guild Member LFN Staff Member 10 year veteran! 
Post

the thing that pisses me off the most, is when your friends have prezbushshooter running, when you try to IM them. grrr

acdcfanbill is offline   you may: quote & reply,
Old 08-03-2001, 05:10 PM   #7
CaptainRAVE
Jedi Rave
 
CaptainRAVE's Avatar
 
Join Date: May 2001
Posts: 4,272
Post

Yea, i keep getting the SirCam virus send to me. I wish it would stop because its really annoying.


The force will betray you to me.
CaptainRAVE is offline   you may: quote & reply,
Old 08-03-2001, 05:21 PM   #8
matt--
Network Un-exploder
 
matt--'s Avatar
 
Status: Administrator
Join Date: May 2001
Posts: 3,573
LFN Staff Member Notable contributor 
Post

I hear SirCam sends out private docs...true?


LFNetwork and LucasForums.com
matt at lfnetwork dot com
matt-- is offline   you may: quote & reply,
Old 08-03-2001, 08:52 PM   #9
CaptainRAVE
Jedi Rave
 
CaptainRAVE's Avatar
 
Join Date: May 2001
Posts: 4,272
Post

Yes it sure does. It sends out any docs. It deletes any files, fills up your hard disk etc and loads more....heres some stuff....(sorry its so long, but some people may thank me if they have it)....

EVEN IF YOU DON'T THINK YOU'VE BEEN INFECTED, you may have been. Essentially, this worm makes duplicates of itself and then mails itself to others whose email addresses are recorded in your Microsoft Email app (Outlook variants).

Due to an increased rate of virus submissions, The Symantec AntiVirus Research Center (SARC) has upgraded W32.Sircam.Worm@mm from a level 3 to a level 4 virus threat.

W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Due to what appears to be a bug, this worm does not replicate under Windows NT or 2000.

SARC has created a tool to remove this worm.

CAUTION: In some cases, if you have had NAV quarantine or delete infected files, you will not be able to run .exe files, however you will still be able to run the removal tool.

To obtain the W32.Sircam.Worm@mm removal tool, please click here.


Also Known As: W32/SirCam@mm, Backdoor.SirCam

Type: Worm

Virus Definitions: July 17, 2001

Threat Assessment:


Wild:
High Damage:
Medium Distribution:
High


Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Damage:

Payload Trigger: 1) October 16th, or some attached file contents, triggers file deletion payload. 2) If the file deletion occured, or after 8000 executions, triggers the space filler payload.
Payload:
Large scale e-mailing: The worm appends a random document from the infected PC to itself and sends this new file via email
Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems where the date is October 16 and which are using D/M/Y as the date format. Always occurs if attached file contains "FS2" not followed by "sc".
Degrades performance: 1 in 50 chance of filling all remaining space on the C: drive by adding text to the file c:\recycled\sircam.sys
Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm
Distribution:

Subject of email: Random subject - the filename of the attachment
Name of attachment: A file from the sender's computer with the extension .bat, .com, .lnk, or .pif added to it.
Size of attachment: at least 134kb long
Shared drives: searchs for shared drives and copies itself to those it finds

Technical description:

This worm arrives as an email message with the following content:

Subject: The subject of the email will be random, and will be the same as the file name of the email attachment.
Attachment: The attachment is a file taken from the sender's computer and will have the extension .bat, .com, .lnk or .pif added to it.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.

Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.

English Version:
First line: Hi! How are you?
Last line: See you later. Thanks

Between these two sentences, some of the following text may appear:

Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste

English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

When run, the worm performs the following actions:


1. It creates copies of itself as %TEMP%\<File name> and C:\Recycled\<file name>, which contain the attached document. This document is then run using the program registered to handle the specific file type. For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in your default zip program, such as WinZip.

NOTE: The term %TEMP% is the Temp variable, and means that the worm will save itself to the Windows Temp folder, whatever its location. The default is C:\Windows\Temp.

2. It copies itself to C:\Recycled\Sirc32.exe and %System%\Scam32.exe.

NOTE: %System% is also a variable. The worm will locate the \System folder (by default this is C:\Windows\System) and copy itself to that location.

3. It adds the value

Driver32=%System%\scam32.exe

to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\RunServices

4. It creates the following registry key:

HKEY_LOCAL_MACHINE\Software\SirCam

with the following values:
FB1B - Stores the file name of the worm as stored in the Recycled directory.
FB1BA - Stores the SMTP IP address.
FB1BB - Stores the email address of the sender.
FC0 - Stores the number of times the worm has executed.
FC1 - Stores what appears to be the version number of the worm.
FD1 - Stores the file name of worm that has been executed, without the suffix.

5. The (Default) value of the registry key

HKEY_CLASSES_ROOT\exefile\shell\open\command

is set to

C:\recycled\sirc32.exe "%1" %*"

This enables the worm to execute itself any time that an .exe file is run.

6. The worm is network aware, and it will enumerate the network resources to infect shared systems. If any are found, it will do the following:
Attempt to copy itself to <Computer>\Recycled\Sirc32.exe
Add the line "@win \recycled\sirc32.exe" to the file <Computer>\Autoexec.bat
Copy <Computer>\Windows\Rundll32.exe to <Computer>\Windows\Run32.exe
Replace <Computer>\Windows\rundll32.exe with C:\Recycled\Sirc32.exe

7. There is a 1 in 33 chance that the following actions will occur:
The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
The worm copies itself as "Microsoft Internet Office.exe" to the folder referred to by the registry key:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Startup

8. There is a 1 in 20 chance that on October 16th of any year, the worm will recursively delete all files and folders on the C drive.
This payload functions only on computers which use the date format D/M/Y (as opposed to M/D/Y or similar formats).

Additionally, the payload will always activate immediately, regardless of date and date format, if the file attached to the worm contains the sequence "FA2" without the letters "sc" following immediately.

9. If this payload activates, the file C:\Recycled\Sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings:
[SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
or
[SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

10. The worm contains its own SMTP engine which is used for the email routine. It obtains email addresses through two different methods:

It searches the folders that are referred to by the registry keys

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Cache

and

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Personal

for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %system%\sc?1.dll

where ? is a different letter for each location, as follows:

scy1.dll: addresses from %cache%\sho*., hot*., get*.
sch1.dll: addresses from %personal%\sho*., hot*., get*.
sci1.dll: addresses from %cache%\*.htm
sct1.dll: addresses from %personal%\*.htm

It searches %system% and all subfolders for *.wab (all Windows Address Books) and copies addresses from there into %system%\scw1.dll.

11. It searches the folders referred to by the registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Personal

and

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Desktop

for files of type .doc, .xls, and .zip, and stores the filenames in %system%\scd.dll. One of these files will be appended to the worm's original executable and this new file will be sent as the email attachment.

The From: email address and mail server are taken from the registry. If no email account exists, then the current user name will be prepended to "prodigy.net.mx", eg if the current user logged on as JSmith, then the address will be "jsmith@prodigy.net.mx". Then the worm will attempt to connect to a mail server. This will be either the mail server taken from the registry, or one of

prodigy.net.mx
goeke.net
enlace.net
dobleclick.com.mx

The language used for the mail depends on the language used by the sender. If the sender uses Spanish, then the mail will be in Spanish, otherwise it will be in English. The attachment is chosen randomly from the list of files in the scd.dll.


The force will betray you to me.
CaptainRAVE is offline   you may: quote & reply,
Old 08-03-2001, 10:25 PM   #10
Letalis
 
Letalis's Avatar
 
Join Date: Jun 2001
Location: Melbourne, Australia
Posts: 453
Smile

Geepers! There's a fair bit there, but thanks RAVE, twas helpful...

Matt, I didn't notice anything as far as a slow down was concerned. But my friend who was with a different ISP was dramatically slowed and he's utilising a cable service. The ISP claimed it was their connection to overseas. But once again I was fine...


-Letalis

the Corner <--Under Construction

--There's not one shred of evidence that supports the notion that life is meant to be serious...
Letalis is offline   you may: quote & reply,
Post a new thread. Add a reply to this thread. Indicate all threads in this forum as read. Subscribe to this forum. RSS feed: this forum RSS feed: all forums
Go Back   LucasForums > Network > JediKnight Series > Community > Yoda’s Swamp > Code Red: Train Crash To Blame

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:35 PM.

LFNetwork, LLC ©2002-2011 - All rights reserved.
Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.