New (More) Annoying Microsoft Worm Hits Net

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Is this just the old Unicode exploit?

[MeowMeow Jones]

Or is it something new?

Looks like an exploit that's been around for a while (way before CR)

Worm roll-up?

[dave-fu]

I see it looking for the exploit Code Red used, trying out MSADC and a directory traversal exploit.
My money's on the Code Red worm being retrofit yet again to try and execute a few more tired old exploits. Which is to say hopefully Hotmail and Windows Update won't get rooted again.
Haven't heard anything about it on Bugtraq yet; haven't checked Incidents (securityfocus.com isn't chugging along so speedily).
It'll be interesting to see how many boxes this roots out in the light of increased press coverage of Code Red and MS's spate of security-minded tools out there. Or: how good do people feel about that leaky dam now that they've stuck their thumb in the hole labelled "Code Red"?

Re:Bleah...my firewall logs all of this...

[Anonymous Coward]

Be glad they are sitting on their hands. In my area, their way of dealing with Code Red was to disable ALL port 80 requests -- which is really a dumb way to handle it.

Re:Outlook Express 6.0 can prevent spread

[Dog and Pony]

Yeah. If you turn that on, it will warn you that .txt files or .gif files are potentially viral, while letting through .doc and other formats that are "known" (lmao) to be safe - or rather, MS formats.

Actually, it is such a stupid check, it almost makes things worse instead.

Info FromRuss at BugTraq

[Anonymous Coward]

-----BEGIN PGP SIGNED MESSAGE-----

There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the network.

A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)

The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMM DU ChVqn6yReQXqEH
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJ Uu pDHB1Yy1DY/po6
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQja mK I2eqd4TdE0yfIO
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----

Damn it!

[Reality Master 101]

Just when I was hoping my cable company would unblock my HTTP port (which they said was "temporary"). Unfortunately, this will give them more fuel to make it permanent.

The HTTP port doesn't bug me as much as they have also blocked my mail port.

Question for sendmail experts out there, related to this: I'm currently using another system to tunnel my mail to my box on my cable modem. It works great, but a side effect is that it looks like all mail is coming from "localhost", which defeats the anti-Spam measures. Of course, it didn't take long for the cockroaches to find my mail server and use it for relaying. I've been fighting it by blocking specific subnets, but it's an annoying battle. Any suggestions?

much worse for me than CodeRed

[mikeraz]

At the height of code red I was getting ~60 hits a day. This beast has hit my system over 3000 times today.

Yow.

Coordinated DDOS?

[dschuetz]

If we really are seeing a marked increase in worm traffic (and it's not just everyone suddenly noticing, now that others have brought it up -- just being cautious, eh?), then could it be possible that this might be part of, or a prelude to, a DDOS attack?

The NIPC issued the following advisory: Potential Distributed Denial of Service (DDoS) Attacks [nipc.gov] on Monday, talking about reports of people preparing for DDOS attacks on computer and commerce infrastructures. In particular: On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.

Of course, this could just be an ill-timed release of yet another worm (like there're "well-timed" releases?). I just thought that this was particularly spooky, reading this alert after seeing this worm story...

Re:Bleah...my firewall logs all of this...

[Dimensio]

Unfortunately for me, IE6 decided to automatically open readme.eml.

There was probably a setting to disable such, but IE didn't install with that set to default, so most people are going to get hit.

Interesting Strings in readme.eml

[Ex Machina]

smtp strings
mime stuff
mapi stuff
winzip
http stuff
richtext dll stuff
hidden shares stuff
webserver sploits
net use stuff
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

internet traffic report

[abaptist]

If you want to see how bad this has become, look at the current internet traffic report [internettr...report.com]. Internet traffic appears to have come to a halt. It can't really be as bad as it looks there (since I can still get through :), but this corresponds to the time I started seeing the attack in my server logs.

Re:Why do stacks grow downwards?

[strags]

Sadly, I don't think it would help. I thought about this for a moment, and came up with the following... someone please feel free to correct me if I'm mistaken.

Most buffer overflows are due to code such as:

void BadFunction(void)
{
char badBuf[100];
strcpy(badBuf,longString);
...

So, your stack looks like:

--> increasing memory address
[badBuf 100 bytes][ebp][return addr]

Standard overflow attacks involve scribbling on the return addr.

Now, let's suppose your stack goes the other way... once the code enters the strcpy function, we'll have:

--> increasing memory address
[return addr][ebp][badBuf][retaddr#2][ebp#2]...

Where retaddr#2 and ebp#2 are the return address from strcpy back into BadFunction, and the corresponding stack frame ptr respectively.

Notice that we can now overflow badBuf to scribble on retaddr#2. Thus, when strcpy returns, we can still jump to arbitrary locations. Slightly different approach, same effect.

Again - this *seems* like it would work, but if anyone can see a flaw, please correct me.

Re:Is this just the old Unicode exploit?

[anacron]

It's more terrorist activity. Check this out:

http://www.nipc.gov/warnings/advisories/2001/01- 02 1.htm

So what will ISP's do?

[Mr_Silver]

The ISP's are in an interesting situation. As far as I can see it, they have several options for now and the future:

1. Turn off any infected machine
2. Prevent port 80 access for everyone
3. Ignore it

1 is possible but it going to be a fair bit of work, 2 is going to peeve off a number of people but will solve the problem and 3 will just allow their whole network to grind to a halt.

Don't know about everyone else but if this keeps up (with this virus and the 100 just around the door) we won't see many ISP's allowing web servers to run at all, ever.

(As a subnote, my bosses cable modem company, NTL, specifically forbid running a server on your own machines - although, as yet, they don't activily police it)

Hackback?

[Baloo Ursidae]

If anybody knows what URL executes commands on the compromised server or a relatively open hackback that can be scripted looking at apache logs, it would be greatly appreciated.

Before someone gets all uppity about the morality of hackbacks, we're talking harmless start default browser and get pointed at a page telling you how to fix it. This was extraordinarllily effective at getting people patched when code red went about: 5000 hits on day 1 to the patch page, 72 on day 2, and it stayed relatively static after that.

Re:unmap your EML file association

[mystik]

we tried this here.

if there is a <script&> tag in the message, ie seems to still execute it. Here is a test eml file.

---8<---
From me@you.org
Subject: test message
From: the devil <devil@evil.org>
To: you <you@yourcomputer.org>
Content-Type: text/html

<body>
<script>
window.open('http://www.microsoft.com');
</script>
This is a test eml file. tell me if you see it as plain text.
</body>
---8<---

Re:Info FromRuss at BugTraq

[vslashg]

Or if you REALLY want to piss Win2k off, delete tftp.exe and then immediately make a directory called tftp.exe in its place. It will try to overwrite it but won't be able to. Kind of amusing, anyway.

Re:Yep - I'm being hit too.

[Anonymous Coward]

IE 6.0 also seems to be vulnerable.

Got a copy of readme.eml from an infected box

[Scoria]

It's sitting at http://www.initialized.org/virus/readme.eml if anyone wants to take a peak at it...

*DO NOT OPEN IT IN INTERNET EXPLORER.*

code red and now this and @Home does nothing

[ekephart]

at least on the @Home network Code Red is still alive and well check out this log file [24.0.101.19]. it's not auto-updated i just catted it at about 5pm central time on 9-18-01... yup thats right mostly TODAY i've managed to rack up a 5599 line file.

Someone was testing this out way before September

[TrentC]

I was digging thru my logs when I found this entry (note the date)...

207.##.###.# - - [02/Apr/2001:03:15:00 -0700] "GET /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af. .%c0%af..%c0%af..%c0%af/winnt/system32/
cmd.exe?/c%20dir HTTP/1.0" 404 329

So it looks like someone was giving this one a dry run several months ago...

Jay (=