ALERT -- New IIS worm!

[rycamor]

Check out

http://slashdot.org/article.pl?sid=01/09/18/151203

Apparenty this one is worse than Code Red. My Apache box has already had over 1000 attempts since this morning, and this is just my DSL firewall at home.

It infects IIS servers, and then does two things:
1) sends GET requests to infect other machines in the IP block
2) attaches a "readme.eml" file to every document server, which usually gets automatically executed by IE5+, thereby writing some changes to the registry, and emailing some registry information elsewhere.

DON'T browse with IE right now, Get Netscape, Mozilla, or Opera, please.

 

[chiph]

The internet traffic report shows red for most of North America.
[tt]

http://www.internettrafficreport.com/cgi-bin/tr_chartpage.pl?NorthAmerica

[/tt]

Chip H.

 

[rycamor]

Yep, it looks like this is going to be a bad one. ISPs all over town are shutting down webservers and installing heavy-duty firewalls. These webservers have to be shut down until the firewall is in place, because some of them are getting attacks generating thousands of lines a minute in their logs.

So, even if you are not directly vulnerable, the virus simply mounts the biggest DoS attack yet seen on the Net.

Ironically, if you look at the link above for the internet traffic report, at the moment it shows 100% packet loss for ALL major routers. I don't think that is actually the case; this is obviously because they themselves have been blanketed by these IIS worm requests.

I've been lucky so far, only receiving 8300 requests since yesterday morning, but remember, this is for a private DSL connection. The public hosting services with Class B subnets are just getting killed.