RE: Seeking Virus Info

From: Williams, Jaymes (Jaymes.Williams@private)
Date: Tue Sep 18 2001 - 10:18:46 PDT

  • Next message: Paul Speck: "Minda / Nimda worm"

    Here is an info alert from TruSecure regarding the W32.Nimda.A@mm worm.
    This has some instructions on how to mitigate the worm, although no AV
    vendors have an update as of now.  Trend Micro's site does not mention it
    yet.  Although Symantec's [www.sarc.com] does have some info.  McAfee's
    Avertlabs [www.avertlabs.com] calls it w32/minda@mm.
    
    Best Regards,
    
    Jaymes Williams, CISSP
    Security Analyst 
    PG&E National Energy Group 
    Gas Transmission Northwest 
    1400 SW Fifth Avenue, Suite 900 
    Portland, OR  97201 
    Voice: 503.833.4508 
    Fax: 503.833.4523 
    jaymes.williams@private 
    
    
    
    
    
    PG&E National Energy Group and any other
    company referenced herein that uses the PG&E name or
    logo are not the same company as Pacific Gas and
    Electric Company, the regulated California utility.  Neither
    PG&E National Energy Group nor these other
    referenced companies are regulated by the California Public
    Utilities Commission.  Customers of Pacific Gas and Electric Company
    do not have to buy products from these companies in order
    to continue to receive quality regulated services from the utility.
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm 
    
    Date: September 18, 2001
    Time:  1000 EDT
    
    RISK INDICES:
    
    Initial Assessment: RED HOT
    
    Threat: VERY HIGH, (rapidly increasing)
    
    Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
    5.0, and internal networks.
    
    Cost: High, command execution is possible 
    
    Vulnerable Systems:  IIS 4.0 and 5.0
    
    SUMMARY:
    A new IIS worm is spreading rapidly.  Its working name is Nimda: 
    W32.nimda.a.mm
    
    It started about 9am eastern time today, Tuesday,September 18, 2001,
    Mulitple sensors world-wide run by TruSecure corporation are getting
    multiple hundred hits per hour. And began at 9:08am am.  
    
    The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
    multiple vulnerabilities including:
    
    Almost all are get scripts, and a get msadc (cmd.exe) 
    get_mem_bin
    vti_bin  owssvr.dll
    Root.exe
    CMD.EXE
    ../  (Unicode)
    Getadmin.dll
    Default.IDA
    /Msoffice/  cltreq.asp
    
    This is not code red or a code red variant.  
    
    The worm, like code red attempts to infect its local sub net first,
    then spreads beyond the local address space.
    
    It is spreading very rapidly. 
    
    TruSecure  believes that this worm will infect any IIS 4 and IIS 5
    box with well known vulnerabilities.  We believe that there are
    nearly 1Million such machines currently exposed to the Internet.  
    
    Risks Indices:
    Vulnerability   VULNERABILITY  PREVALANCE is very high - Milllions of
    Internet Web server hosts:   TruSecure process and essential
    configurations should generally be protective.  The vulnerability
    prevalence world-wide is very high
    
    Threat - VERY HIGH and Growing The rate of growth and spread is
    exceedingly rapid - significantly faster than any worm to date and
    significantly faster than any variant of Code red.
    
    Cost --  Unknown, probably moderate per infected system.
    
    
    The worm itself is a file called 
    README.EXE, or ADMIN.DLL
    a 56K file which is advertised as an audio xwave mime type file.  
    
    Other RISKS: 
    There is risk of DOS of network segments by traffic volume alone
    There is large risk of successful attack to both Internet exposed IIS
    boxes and to developer and Intranet boxes inside of corporations. 
    
    Judging by the Code Red II experience, we expect many subtle routes
    of infection leading to inside corporate infections.  
    
    We cannot discount the coincidence of the date and time of release,
    exactly one week to (probably to the minute) as the World Trade
    Center attack . 
    
    
    REPLICATION:
    There are at least three mechanisms of spread:  
    The worm seems to spread both by a direct IIS across Internet (IP
    spread)
    It probably also spreads by local shares.  (this is not known for
    sure at this time)
    There is also an email vector where README.EXE is sent via email to
    numerous accounts.  
    
    Mitigations
    TruSecure essential practices should work.
    Block all email with EXE attachments
    Filter for README.EXE 
    Make sure IIS boxes are well patched and hardened, or removed from
    both the Internet and Intranets.
    Make sure any developer computing platforms are not running IIS of
    any version (many do so by default if either. 
    Disconnect mail from the Internet 
    Advise users not to double click on any unexpected attachments.  
    Update anti-virus when your vendor has the signature. 
     
    More Mitigations to follow, and additional information from
    TruSecure.
    
    DISCLAIMER:
    Copyright 2001 TruSecure Corporation.  All rights reserved.  This
    Alert is the property of the TruSecure Corporation.  It may not be
    redistributed except within your own company or organization.  This
    Alert is being provided for informational purposes only and is
    provided AS IS."  The TruSecure Corporation makes no warranties of
    any kind, express or implied, including, but not limited to
    warranties of merchantability, fitness for a particular purpose,
    non-infringement, and warranties arising out of any course of dealing
    or course of conduct.   
    
    Impenetrable security is unattainable in real world environments; the
    TruSecure Corporation cannot and does not guarantee protection
    against breaches of security.
    
    IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS
    INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY
    KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE
    THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE
    ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE
    TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
    DAMAGES.
    
    
    
    
    
    
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1
    
    iQA/AwUBO6dhn0Nkp5EGviu0EQKC+ACgqNWUGzjEH71Zfidoj5wfK8o+EVoAnRFw
    ugG5gRQoGZ6uADCDyy/ogLsG
    =nGW1
    -----END PGP SIGNATURE-----
    
    Jaymes Williams, CISSP
    Security Analyst 
    PG&E National Energy Group 
    Gas Transmission Northwest 
    1400 SW Fifth Avenue, Suite 900 
    Portland, OR  97201 
    Voice: 503.833.4508 
    Fax: 503.833.4523 
    jaymes.williams@private 
    
    
    -----Original Message-----
    From: Adam Lipson [mailto:AdamL@private]
    Sent: Tuesday, September 18, 2001 9:16 AM
    To: Crime List
    Subject: Seeking Virus Info
    
    
    Our London office just encountered an unknown virus.  If anyone has any idea
    what it might be can you please let me know.  A scan of several major
    Anti-Virus vendors has not come up with any results.  The description of
    what we have seen it do so far is listed below.
    
    Thanks for your help,
    Adam
    
    It will put sample.eml and desktop.eml on your desktop and in lots of
    folders on your hard drive.
    
    Then it will scan for IIS servers, and try to attach all machines on your
    local network running IIS.
    
    
    PG&E National Energy Group and any other
    company referenced herein that uses the PG&E name or
    logo are not the same company as Pacific Gas and
    Electric Company, the regulated California utility.  Neither
    PG&E National Energy Group nor these other
    referenced companies are regulated by the California Public
    Utilities Commission.  Customers of Pacific Gas and Electric Company
    do not have to buy products from these companies in order
    to continue to receive quality regulated services from the utility.
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:57 PDT