New (More) Annoying Microsoft Worm Hits Net

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Re:The old Code Red Patches don't work?

[Dimensio]

The new patches may well stop this one. No one implements the patches, which is why Code Red 2 packets are still flying all over every subnet on @Home.

Microsoft may be partly to blame, but it's not for being irresponsible in patching these issues; it's for allowing idiots who don't know how to properly administrate and who will never do security checks to easily run MS servers -- often without realising that the server exists.

'Fuck USA' is sadmind

[Gambit Thirty-Two]

The 'Fuck PoisonBox' you're getting is due to the Sadmind virus.

More at:
http://www.symantec.com/avcenter/venc/data/backdoo r.sadmind.html [symantec.com]

Re:how do I get rid of it?

[Hanno]

No, problem not fixed.

I work on a dual boot machine. I use Windows when I need it for a particular task and I use Linux when I need that for another particular task.

Thank you for demonstrating useless advocacy without being helpful whatsoever.

Re:Corporate ought to be securing the box better..

[Svartalf]

I'm not Windows bashing- I'm pointing out something that is a real problem.

1) Linux/UNIX is not invulnerable, but it's been years since the Morris Worm. We're seeing a spate of this sort of stuff under NT- why? Is it because of sloppy admin work, lack of overall security in the design of Windows, or both?

2) If you can't apply security patches because it'll break your machine, then maybe there IS a problem with the OS.

Re:Time for a class action lawsuit against Microso

[weez75]

Not only has this a result of negligence but also a result of false claims that their products are just as secure as Unix, just a robust as Unix, and just as fast as Unix. They've mislead consumers regarding by funding biased comparisons, flawed white papers, and paid-customer endorsements. I believe this is nothing short of fraud.

Re:How to stop Internet Explorer executing said wa

[platypus]

NO! Here's what wget showed me for one host:

[message/rfc822]

So this thing is really evil:

1. it uses many forms of attack
2. it attacks server _and_ clients
3. it propagates by tftping the load from altering hosts (probably from the host which
did the attack before)
4. it alters the content type for the client infection via http+IE

Comment removed

[account_deleted]

Comment removed based on user account deletion

It's morons, not Microsoft that're responsible

[Jayde Stargunner]

Sorry, but I use IIS a lot. I'm an ASP developer, and we have tons of IIS boxes.

Were we hit by Code Red? Nope. Code Red II? Nope. This? Nope. ANY worm? Not a chance.

All these worms exploit SERIOUSLY OLD holes in IIS, of which patches have been release over 3-5 MONTHS ago. All of these pacthes are available via Windows Update, and show up with a "Critical Updates Notification" on the taskbar.

Anyone who runs ANY server but is 5 months behind on security updates is an absolute MORON, and deserves to be hit with a worm. It's easy to blame MS for all their "security holes", but folks...these have been patched for a while now...

-Jayde

you get what you pay for.

[gimpboy]

exactly. alot of the problem here is with the users. they got what they paid for. from my discussions with a friend who works on alot of ms boxes, it seems that iis can be as secure as apache as long as you know what you are doing. people who say "*nix" doesnt have the sort of problems are living on borrowed time.

alot of the boxen that are being infected are doing so because they are running default installs with no patches. if you told me you were running a default redhat install i would laugh my ass off.

my main problems with windows is the security paradigm they use, and how the market ease of use. because of this a normal user can execute programs that infect system files. sort of like browsing the web as root. by marketing their product as "point and click"ish they attract the lowest common denominator in users.

it basically comes down to being an informed user. by the time you get to admining a unix box you are normally already a bit more informed, and you probably arent making the decision because it's _easy_ to use.

Less Stress for Apache Logmasters

[herk]

I'm not entirely sure how well this works, but given that these worms are obviously connecting via the actual numerical ip, it should be possible to filter off logging from any machine connecting via such an ip to a junk log, or maybe even to deny connections altogether. I'm sure this can be tweaked, but preliminary tests indicate that this works:

<VirtualHost 24.222.rest.ofyourip>
ServerName 24.222.rest.ofyour.ip
ErrorLog /var/log/apache/trash-error.log
CustomLog /var/log/apache/trash-access.log combined
</VirtualHost>

Re:Alas, corporate IS still wants Windows

[SysKoll]

My point exactly. Of course, total security is a fallacy, but using a system or a method that is demonstrably risky is plain dumb.

So yes, corporate IS departments keep installing Windows all over the place even in places where they could avoid it because "that's what the market is".

Imagine this discussion:

Landlord: "Hey, you built my home on quicksands!"

Architect: "Quicksands are the market standard. No one uses hard ground these days. Too hard to break."

Landlord: "But it's unsafe! People get the Blue Gas-Bubble of Death every day in these quicksands! Alligators come and snatch you from behind!"

Architect: "Come on, just stand on the moss patches and you'll be fine".

Of course, at the end the landlord shoots the architect, to the acclaim of the whole profession.

So why do we endure these IS "architects"?

-- SysKoll