Targets of Allaple DoS-worm released

Information about the target Web sites of polymorphic worm Allaple has been released. Finnish CERT-FI unit has posted information to Bleeding Edge Threats Wiki database.

According to the report the targets are

www.starman.ee,
www.if.ee and
www.online.if.ee.

Note: The report is not fully visible when browsing with Safari. Firefox on XP and Mac are working OK.

AS Starman is Tallinn-based cable-TV operator and an ISP. If P&C Insurance Company is a subsidiary of Finnish Sampo Group.
Reportedly the worms have absolutely no Command and Control channels in them. I.e. if the author of the worm wants to disable these worms he or she can’t do it. The only solution is to patch these affected machines with MS04-012 – or format these workstations.

The first reports of the worm are from July 2006. This DoS attack is not a minor issue.
If you see this worm in your organization there are some typical characteristics:

* ICMP packets with the mystery string ‘Babcdefghijklmnopqrstuvwabcdefghi’
* HTTP GET requests to www.if.ee
and
* TCP SYN packets to www.if.ee (port 97)

This worm has several names – aka W32/Allaple-B, Rahack.W and Rahack.BB.

Share