Return-Path: incidents-return-1523-kjm=ideon.st.ryukoku.ac.jp@securityfocus.com Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list incidents@securityfocus.com Delivered-To: moderator for incidents@securityfocus.com Received: (qmail 8617 invoked from network); 19 Sep 2001 01:27:46 -0000 Message-ID: <05e901c140aa$61a1dba0$6600a8c0@localarc.com> Reply-To: "Bob Todd" From: "Bob Todd" To: Subject: Our sumary of the NIMDA (CV) worm Date: Tue, 18 Sep 2001 21:28:26 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 (BTW this is a compilation of stuff we learned at customer sites and incidents@securityfocus reports) INTRODUCTION The Concept Validation (CV) worm also known as Nimda was released around 0930 EDT 18 Sep 01. (Several sources noted that this was exactly one week after the WTC/Pentagon terrorist attack). This is probably the most comprehensive worm that we have experienced to date. It appears to attack any Microsoft OS product (except Windows 3.1 and Windows for Workgroups). The attack mechanism has been observed in one of three ways: 1. Email with an exe binary disguised as a midi/wav file 2. A compromise of a web server using directory traversal 3. Access of a compromised web server. As of this date, we know that (1) and (3) involve readme.eml and readme.exe. We are not sure of the initial infection binary for (2). It is important to note that any Microsoft client or server that has been exposed to any of these environments is probably infected. At Advanced Research, we use Outlook Express (patched through Dec 2000) and we avoided the infection as when the message was read, a dialog box asked us whether we wanted to execute or save. We understand that many Outlook clients may not provide this option defaultly. The same is true when Internet Explorer clients connected to infected Web sites. Bottom line, if you are a Microsoft operating system user, your system may have been compromised. DETAILS The commonly observed infection mechanism is through the execution of the hidden email binary, readme.exe. We believe that it produces a wealth of trojan and backdoor problems that include: 1. Multiple instances of Admin.dll in Web root directories of msadc and/or scripts (and possibly other Web directories that are executable). We do not know what Admin.dll does at this time but know that it also may be replicated in c:\, d:\, and/or e:\ 2. Possibly massive numbers of *.eml and *.nws files that were created after 0600 EDT on 18 Sep 01 and contain the reference and contents of readme.exe 3. One or more contaminated Web pages that contain a JavaScript reference to readme.eml. This reference ususally occurs at the end of the web page(s). There is a site that APPEARS to be safe to test your web browser. There is a start that is located at: http://www.guninski.com/eml-desc.html If MS wordpad comes up then you configuration is vulnerable. 4. It has been reported that infected machines will attempt to send email to 202.106.185.107 when the mahcine is rebooted. 5. It appears that infected machines will launch a comprehensive IIS directory traversal attack against random? targets. Where vulnerable, it is beleived that targets will be compromised by a similar worm. 6. In many instances there may be a trojan mmc.exe in c:\winnt. This will be executed anytime explorer.exe is executed. There may be one or more instanced of mep*.exe which have modified or are modifying local web pages. 7. There are reports that there are trojaned versions of riched20.dll which could infect notepad and wordpad. 8. There are unconfirmed reports that it may be effecting Unix Samba servers. 9. Analysis of the readme.exe executable indicates that it attempts to add guest to the local administrators and local guests group. It attempts to open the c$ drive.We have not found any positive evidence that this actually worked. 10 Reports that load.exe has been installed as a hidden file that will launch something after each reboot. CLEANUP 1. Sources report that NAI has a 'cleaner' tool for this infection at: http://download.nai.com/products/mcafee-avert/nimda2.exe We have not verified its effectiveness. 2. SARA has been updated to detect infected home pages and existence of Admin.dll in specific directories. SARA can be found at http://www-arc.com/sara/downloads/sara-3.4.9a.tar.gz 3. All files created/modified after 0600 18 Sep 01 should be reviewed to confirm that they have not been tampered with. ______________________________________________ Bob Todd Advanced Research Corporation ® http://www-arc.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com