[TCLUG] New Worm based on Code Red?

Tue Sep 18 12:09:43 CDT 2001

The worm is called Nimba, it's not based on Code Red.  It spreads 4
different ways:

1. Via email, like SirCam.  Attachment called readme.exe is given a wav
mimetype which attempts to open Windows Media player.  Outlook will still
ask you if you want to open it, but when WMP comes up, users are more likely
to say yes and open it.  

2. Via Network shares.  It tries to find open network shares and copy itself
to other machines on the network.

3. Via IIS vulnerabilities (ala Code Red).  Scans for 16 different
vulnerabilities which will allow it to copy itself onto the webserver.  It
also appears to be much more aggressive in scanning for vulnerable machines
than code red was.

4. Via the eml vulnerability in IE versions prior to 6.0 (very few have
upgraded to 6.0).  If a webserver has Nimba, it will append a nice piece of
javascript to the end of every web page served which will open an EML file
which will infect the machine viewing the web page.  There is no dialog, it
just opens.  This bug was discovered by George Guninski about a month or so
ago, and is apparently fixed in IE 6.0.  So IE users can get the virus just
by visiting a page on an infected IIS server.  

This one is going to be much worse than code red ever was.  It plays on user
stupidity, administrator laziness, and the fun autoexecute abilities of IE.
Plus, I'm sure there will be some variants which further refine the way it
spreads.

Jay

> -----Original Message-----
> From: Dave Royer [mailto:dave at droyer.org] 
> Sent: Tuesday, September 18, 2001 11:02 AM
> To: tclug-list at mn-linux.org
> Subject: Re: [TCLUG] New Worm based on Code Red?
> 
> 
> Here is an alert sent to the NTBugTraq list.  
> 
> I've got snort running on my boxen at home and it has been 
> screaming since 
> 8:00 this morning.  I am already having trouble connecting to 
> the boxes at 
> home due to all the traffic.
> 
> Dave Royer
> 
> 
> -----Original Message-----
> From: Russ [mailto:Russ.Cooper at RC.ON.CA]
> Sent: Tuesday, September 18, 2001 10:21 AM
> To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
> Subject: Alert: Some sort of IIS worm seems to be propagating
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> There have been numerous reports of IIS attacks being 
> generated by machines over a broad range of IP addresses. 
> These "infected" machines are using a wide variety of attacks 
> which attempt to exploit already known and patched 
> vulnerabilities against IIS.
> 
> It appears that the attacks can come both from email and from 
> the network.
> 
> A new worm, being called w32.nimda.amm, is being sent around. 
> The attachment is called README.EXE and comes as a MIME-type 
> of "audio/x-wav" together with some html parts. There appears 
> to be no text in this message when it is displayed by Outlook 
> when in Auto-Preview mode (always a good indication there's 
> something not quite right with an email.)
> 
> The network attacks against IIS boxes are a wide variety of 
> attacks. Amongst them appear to be several attacks that 
> assume the machine is compromised by Code Red II (looking for 
> ROOT.EXE in the /scripts and /msadc directory, as well as an 
> attempt to use the /c and /d virtual roots to get to 
> CMD.EXE). Further, it attempts to exploit numerous other 
> known IIS vulnerabilities.
> 
> One thing to note is the attempt to execute TFTP.EXE to 
> download a file called ADMIN.DLL from (presumably) some 
> previously compromised box.
> 
> Anyone who discovers a compromised machine (a machine with 
> ADMIN.DLL in the /scripts directory), please forward me a 
> copy of that .dll ASAP.
> 
> Also, look for TFTP traffic (UDP69). As a safeguard, consider 
> doing the following;
> 
> edit %systemroot/system32/drivers/etc/services.
> 
> change the line;
> 
> tftp 69/udp
> 
> to;
> 
> tftp 0/udp
> 
> thereby disabling the TFTP client. W2K has TFTP.EXE protected 
> by Windows File Protection so can't be removed.
> 
> More information as it arises.
> 
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.2
> 
> iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH
> Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6
> iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO
> hSW7yN2lhJc=
> =YAwc
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org 
> https://mailman.mn-> linux.org/mailman/listinfo/tclug-list
> 