In my log file in matter of hours i can see tens of thousands of lines 137.159.128.245 - - [13/Oct/2001:02:12:52 -0400] "GET /?did=150&ver=1.51&duid=nxccfwekqqgtnsuinfdlitvyldaal HTTP/1.1" 200 16106 "-" "-"
137.159.128.245 - - [13/Oct/2001:02:16:52 -0400] "GET /?did=150&ver=1.51&duid=nxccfwekqqgtnsuinfdlitvyldaal HTTP/1.1" 200 16106 "-" "-"
137.159.128.245 - - [13/Oct/2001:02:20:52 -0400] "GET /?did=150&ver=1.51&duid=nxccfwekqqgtnsuinfdlitvyldaal HTTP/1.1" 200 13578 "-" "-"
137.159.128.245 - - [13/Oct/2001:02:24:55 -0400] "GET /?did=150&ver=1.51&duid=nxccfwekqqgtnsuinfdlitvyldaal HTTP/1.1" 200 13578 "-" "-"
137.159.128.245 - - [13/Oct/2001:02:28:52 -0400] "GET /?did=150&ver=1.51&duid=nxccfwekqqgtnsuinfdlitvyldaal HTTP/1.1" 200 0 "-" "-"

and similar. Almost all of them have did= (different versions) ver=(different values) duid=(seems random)
Multiple IP addresses in universities, europe, etc.
Anyone can give me any insight about this?

You can't do anything about it. Just accept it and hope it won't consume your whole bandwidth

Hmm can you provide anything constructive? Do you have any expierence with it? Why you think nothing can be done?
Otherwise whats the reason for posting?
It does consume substantial amount of bandwidth
There are very little information about this worm on the net.
Little information i found on newsgroups
microsoft.public.inetserver.iis (http://groups.google.com/groups?hl=en&threadm=miMj7.152%24p05.120375%40paloalto-snr1.gtei.net&rnum=2&prev=/groups%3Fq%3Ddid%2Bver%2Bduid%2Bworm%26hl%3Den%26rnum%3D2%26selm%3DmiMj7.152%2524p05.120375%2540paloalto-snr1.gtei.net)

Little can be done about it because hundreds of computer across the globe are attacking your PC. You can't ban certain IP addresses because there are too many and new ones are attacking your machine every minute. You can't block the port (ie port 80) because that is your web server port and any disruption to that service will result in your websites being down. All you can do is secure your box (ie. make sure there are no holes to exploit by upgrading to latest software).

The PC attack will all be infected with a trojan horse, which reports its IP to the hacker via IRC or e-mail or custom server client and then listens to a certain port for commands. The hacker just issue one command like 'attack yourwebhost.com' to all the PCs infected and you have a Denial of Service Attack on your hands.

Originally posted by MattF
Little can be done about it because hundreds of computer across the globe are attacking your PC. You can't ban certain IP addresses because there are too many and new ones are attacking your machine every minute. You can't block the port (ie port 80) because that is your web server port and any disruption to that service will result in your websites being down. All you can do is secure your box (ie. make sure there are no holes to exploit by upgrading to latest software).

The PC attack will all be infected with a trojan horse, which reports its IP to the hacker via IRC or e-mail or custom server client and then listens to a certain port for commands. The hacker just issue one command like 'attack yourwebhost.com' to all the PCs infected and you have a Denial of Service Attack on your hands.

I totally agree with this. My appologies i wasn't constructive enough.
It's just like the sircam viruses and he code red worm, There is nothing to about it except for warning th other end that they have been infected. Buut this would take a dayjob to do.

OK my temporary solution to this was to add following code on very top of my index page <? if ($did || $ver || $duid) exit; ?>
At least page won't be served and bandwidth will be preserved.
Worm seems to target only your domain index page and always requests it with above variables present.
I'm still looking into this...

after closer examination of log files i noticed that there are lots of requests without did duid or ver, but still user operating system, browser info is missing so i decided to change it if ($did || $ver || $duid || !isset($HTTP_USER_AGENT)) exit;

I'm not sure how it will affect search engines - but i think they identify themselves - right?
hmm
can users browse in stealth mode without releasing information? how about proxies and anonymizers?
I'm going to read on about this ..

If you want to protect your amount of bandwidth, just unhook the server from the network.

you think i'm kidding around about saving bandwidth?
bandwidth jumped from 20GB/mo -> 70 GB/mo while being on old server without any increase of pageviews or visitors. After i moved to new server nimda, code red attacks prevented by router. But nobody knows about this enigma worm.

If you find any information about this worm please post it here.

Wow. You guys might want to check out http://www.snort.org and take a look at Guardian.pl. With a little tweaking, you can prevent multiple attacks from the same box. (At least, on Linux).

Dan