For information, from the McAfee website...............
UPDATE July 19, 2001,
AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.
Your environment is at HIGH RISK if:
1) You have Microsoft Index Server 2.0, or Indexing Service installed with Windows 2000 or IIS.
2) You have NOT updated these components with the latest patch from Microsoft available here.
The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
IT EXISTS IN MEMORY ONLY AND NO WRITTEN FILE EVER EXISTS ON THE HARD DISK.
It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect. Once infected, this viral code checks for the existence of C
notworm. If the file C
notworm is present the worm stops seeking other machines to infect.
Affected English language web servers have its web pages defaced with:
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5>
<font color="red"><p align="center">Welcome to
http://www.worm.com !<br><br>Hacked By Chinese!
</font></hr></bady></html>
Indications Of Infection:
Web pages defaced with the message:
--------------------------------------------------------------------------------
Welcome to
http://www.worm.com !
Hacked By Chinese!