happyhacker · Computer security and hacking with a humorous touch From: cmeinel@t... Date: Tue Sep 18, 2001 4:17 pm Subject: Urgent Warning: War in Cyberspace Disclaimer: All of this is provisional, so there will undoubtedly be updates on how to fight this menace, and maybe some inaccuracies. It's war in cyberspace, and this time there is much that you can do to halt it. The main culprit is the Nimda worm, which spreads by email, through web browsers, unprotected Netbios shares, and direct attacks of one webserver against another. Here's what you can do to fight it: Number one: DON'T USE INTERNET EXPLORER. If you browse a web site running Nimda, IE automatically downloads the infection vector, the wav file readme.eml. If you get infected, the worm finds all email addresses in Outlook and your web browser and emails the worm to them all. In any browser, disable Javascript. Number two: If you use Windows Active Desktop, turn it off. Number three: Don't open email attachments unless you know for a fact that it is one you expect. It is too easy for the worm to mutate so it could in theory be any name. Number four: update your antivirus. Norton and McAffee (among many) are working hard to come up with defenses and antidotes so check often for their upcoming defenses. Number five: If you run Windows 2000 with personal web server, or Windows anything with IIS, get the patch at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp Number six: be suspicious of any email from well-known security sites that has attachments or source code. Spoofed email carrying malicious code has been discovered from carolyn@t... and others noted below. More on defenses: From: Russ Subject: Updated mitigators and cleansing of Nimda To: NTBUGTRAQ@L... -----BEGIN PGP SIGNED MESSAGE----- Infection vectors; - ----------------- a) Email as an attachment of MIME audio/x-wav type. b) By browsing an infected webserver with Javascript execution enabled and using a version of IE vulnerable to the exploits discussed in MS01-020 (e.g. IE 5.0 or IE 5.01 without SP2). c) Machine to machine in the form of IIS attacks (primarily attempting to exploit vulnerabilities created by the effects of Code Red II, but also vulnerabilities previously patched by MS00-078) d) Highlighting either a .eml or .nws in Explorer with Active Desktop enabled (W2K/ME/W98 by default) then the THUMBVW.DLL will execute the file and attempt to download the README.EXE referenced in it (depending on your IE version and zone settings). e) Mapped drives. Any infected machine which has mapped network drives will likely infect all of the files on the mapped drive and its subdirectories To prevent yourself from being infected; a) Ensure all IE versions have applied MS01-027 (or are IE 5.01SP2 or above) b) Disable Active Scripting in IE c) Ensure all IIS installations have applied MS01-044 (or at the very least MS01-033) d) Use the CALCS program to modify the permissions on TFTP.EXE to remove all use; CALCS %systemroot%/system32/tftp.exe /D Everyone CALCS %systemroot%/system32/tftp.exe /D System Do the same for CMD.EXE (note, this could be tried with THUMBVM.DLL as well, haven't tried this myself yet) e) Ensure that TFTP is not permitted out through your network gateway (note that newly infected machines may try and TFTP *internally* from some other infected machine you have on your network) f) Modify or remove; HKEY_CLASSES_ROOT\.eml HKEY_CLASSES_ROOT\.nws Cleansing information; - --------------------- Nimda is viral, so while you can remove various files that it drops it probably will not be cleaned completely by manual means. This means you will have to use your AntiVirus vendor's product to completely cleans. a) Load.exe dropped as hidden/system file (probably in %systemroot%) b) Riched20.dll dropped with today's date as hidden/system file. c) Readme.exe dropped in every directory d) Admin.dll dropped in /scripts and/or root directories (not the _vti_bin directories of FrontPage) e) .eml and .nws files dropped in every directory f) Possibly modified your default home page in web dirs. g) Infected numerous files (if not all files) with the 56kb executable. h) Reports of people having files lumped together into .eml files Check with your AV Vendor regularly for updates to the cleansing programs. I would appreciate any reports from AV Vendors as to how complete they feel their cleaners currently are. I will do an update later tonight based on responses. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO6fIYRBh2Kw/l7p5AQE/ugQAx8+paBZ9jdt5ikstAU9QNHRYfhdDzQ55 1n03W3lH9vEgl2uFZ1NooASAAC1zsO/yeKJcftvjHWosBdXVNNYV3RcRgZ63hvdY 7DlgfuYpBXOPQHCBuQuh0yPOBUbtMJjnEX+d/8opifv18VPbCEWUg8NV5OiFIlEi 6NOlaobfFR4= =U1y0 -----END PGP SIGNATURE----- Alert from http://www.incidents.org New IIS "Concept Virus" Worm: NIMDA Propagating Quickly ---------------------------------------------------- UPDATE SUMMARY: A new worm that has been named "Nimda" is propagating with unprecedented speed across the Internet. The worm appears to have at least four distinct propagation mechanisms. ****INFORMATION IS PRELIMINARY**** (1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server. (2) The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. Note that the worm may spoof the source address on the emails, some have even been received at incidents.org with source addresses of codered@s... and webmaster@i... Other reports indicate that the spoofed source address of staff@a... has also been seen. It is possible that someone is spoofing these emails intentionally, so that people will trust the source addresses as they are security sites. (3) When a web server is infected, the worm downloads a binary encoded as a wav file to each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer will automatically execute the malicious file. 4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password. The worm appears to prefer to target its neighbors, Code Red II style, when scanning for vulnerable IIS servers. This can cause considerable activity on local networks that have several infected machines.