i think you're ISP dude is getting pretty carried away!
it's an attack on IIS WinNT and Win2000 SERVERS, not your desktop PC or laptop running Win98, let alone Win NT or Win 2000. it connects to port 80 (HTTP). It's going to help launch an attack on a WEB page, whitehouse.gov. no big deal, really. what people are bummed about is the fact that microsoft puts out such crud and that because they do ppl can't keep up with the patches and so, nothing is patched. it'll likely have the secondary effect of putting people offline at unexpected times, slowing things down, etc.
what's interesting to me is that whoever wrote the code could have made it so that it spread much faster, but they chose not to. The suggestion in the Maiffret post to Bugtraq was that purpose someone was using a not so random string of IP addresses to attack with each infection so that they could sniff traffic as the worm moved along the 'net. This would give the author a list of everyone who got nailed.
So, it's a buffer overflow exploit, iirc. It target is a WEB PAGE, whitehouse.gov. Also, it will deface the page. no biggie, really. The defacement will say, "Hacked by Chinese!" (probably not; but who knows.)
It does by using a technique called "hooking". It modifies code--here, w3svc.dll.
(yes, if you've had to muck with windows, ever, you know about #*!(&% .dll).
The code in memory is modified to point to code that the worm generates.
the result: When a surfer goes to whitehouse.bov, the modified .dll will direct you to the "Hacked by Chinese!" defacement.
this will last for 10 hours. "After the 10 hours is up this thread will return w3svc.dll to its original state, including re-protecting memory."
They won't be able to get into anything important, from what I read of the original alert from Marc Maiffret of eEye Digital Security.
What is IIS:
Short for Internet Information Server, Microsoft's Web server that runs on Windows NT platforms. IIS comes bundled with Windows NT 4.0. Because IIS is tightly integrated with the operating system, it is relatively easy to administer. However, currently IIS is available only for the Windows NT platform"
what's a DLL? http://webopedia.internet.com/TERM/D/DLL.html what's a web server? http://serverwatch.internet.com/webservers.html
At 11:59 AM 7/20/01 +1000, Joanna Sheldon wrote:
>More on same, including some dramatic language from my ISP geek. The
>political-economic implications of such a worm are interesting.