New (More) Annoying Microsoft Worm Hits Net

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

What's the problem?

[niekze]

Why won't someone port these to linux? Microsoft Operating Systems seem to have a monopoly in this field. For now, if you read this in a *nix, just portscan your netmask and a few others and try a few old wu-ftp exploits.

"You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?

Re:Wrong name

[garcia]

it originally started in just the 63.174 for me. Now it is hitting me from all over the place. It is really nasty b/c of the number of requests that each machine sends out.

I was surfing some porn sites this morning and they seemed horribly affected (none of the images would load and they were slow as hell).

ugh. Just when you thought it was safe to disable "assholes_log".

Re:Bleah...my firewall logs all of this...

[Tim Doran]

Jeez - I'm ssh'd into my home linux box. Thought I'd check out a few of the infected machines... by pasting the ip's into IE5.5 on my laptop.

Duh! Flipping back and forth between the sites, Slashdot, ssh, answering the phone and guzzling coffee, I didn't notice that IE was crashing, Norton antivirus was triggering... shit.

I'm an idiot. Okay - have I infected my machine? I'm afraid I've been automatically triggering 'readme.eml'. I'm running NT4.0 sp6.

Re:Too Slow

[TwP]

Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS... (or at least, apply the damn patch already)

Preaching to the converted ;) Windows lusers don't read /. Oh wait, I'm using Mozzila on Win98 to write this. disappears in a puff of logical inconsistancy

lemme sing you a song...

[raindown]

* to the theme of Joan Jett's "I love rock and roll" *

I LOVE IIS, PUT ANOTHER WORM IN MY SERVER BABY!

Re:Bleah...my firewall logs all of this...

[klpauba]

Might we be able to convince all windows users to turn their firewalls around to protect the internet from their machines?

Re:Bleah...my firewall logs all of this...

[Anonymous Coward]

I'm an idiot.

I'm running NT4.0

Score: -1, Redundant

Ask them for /etc/passwd!!

[krogoth]

That's it! i'm sick of all these worms trying to get cmd.exe when i'm running linux! I'm gonna collect their IPs and flood them with requests for /etc/passwd!!!! If you want to contribute IPs or bandwidth, join the Passwd Flood Network (PFN)!! :)

Re:Outlook Express 6.0 can prevent spread

[DCowern]

Wow... brilliant... I can just imagine Microsoft's response to the IIS vulnerabilities.

From [future edition of] MSDN:

"To secure IIS, do the following:

Go to Tools > Options > Security and check the box labeled 'Do not allow connections to this machine'."

Redirect those to Microsoft

[DV]

Can someone check if the client will follow redirects ? I yes, I suggest to make Redirect
rules to http://www.microsoft.com for /scripts , /c/ and /d/
In itself that should be a good punition.

Daniel

Re:Time for a class action lawsuit against Microso

[Sloppy]

They were negligent when they created software and technologies that are so easily exploited.

No. Users were negligent in purchasing and deploying software that was already known ahead of time, to be defective.

Microsoft's reputation is well established. Ignorance is no excuse.

Re:Yep, we're seeing them here too.

[jsse]

(I Don't Do Windows:-)

but Windows do you. :)

347 Nimda requests recorded in access.log and counting.