(BTW this is a compilation of stuff we learned at customer sites
and incidents@securityfocus reports)
INTRODUCTION
The Concept Validation (CV) worm also known as Nimda was
released around 0930 EDT 18 Sep 01. (Several sources noted that this
was exactly one week after the WTC/Pentagon terrorist attack).
This is probably the most comprehensive worm that we have
experienced to date. It appears to attack any Microsoft OS product
(except Windows 3.1 and Windows for Workgroups). The attack
mechanism has been observed in one of three ways:
1. Email with an exe binary disguised as a midi/wav file
2. A compromise of a web server using directory traversal
3. Access of a compromised web server.
As of this date, we know that (1) and (3) involve readme.eml and
readme.exe. We are not sure of the initial infection binary for (2).
It is important to note that any Microsoft client or server that has been
exposed to any of these environments is probably infected. At Advanced
Research, we use Outlook Express (patched through Dec 2000) and
we avoided the infection as when the message was read, a dialog box
asked us whether we wanted to execute or save. We understand that many
Outlook clients may not provide this option defaultly. The same is
true when Internet Explorer clients connected to infected Web sites.
Bottom line, if you are a Microsoft operating system user, your system
may have been compromised.
DETAILS
The commonly observed infection mechanism is through the execution
of the hidden email binary, readme.exe. We believe that it produces a
wealth of trojan and backdoor problems that include:
1. Multiple instances of Admin.dll in Web root directories of msadc
and/or scripts (and possibly other Web directories that are
executable). We do not know what Admin.dll does at this time
but know that it also may be replicated in c:\, d:\, and/or e:\
2. Possibly massive numbers of *.eml and *.nws files that were created
after 0600 EDT on 18 Sep 01 and contain the reference and contents
of readme.exe
3. One or more contaminated Web pages that contain a JavaScript
reference to readme.eml. This reference ususally occurs at the end
of the web page(s). There is a site that APPEARS to be safe to
test your web browser. There is a start that is located at:
http://www.guninski.com/eml-desc.html
If MS wordpad comes up then you configuration is vulnerable.
4. It has been reported that infected machines will attempt to send email
to 202.106.185.107 when the mahcine is rebooted.
5. It appears that infected machines will launch a comprehensive IIS
directory traversal attack against random? targets. Where vulnerable,
it is beleived that targets will be compromised by a similar worm.
6. In many instances there may be a trojan mmc.exe in c:\winnt. This
will be executed anytime explorer.exe is executed. There may be one
or more instanced of mep*.exe which have modified or are modifying
local web pages.
7. There are reports that there are trojaned versions of riched20.dll
which could infect notepad and wordpad.
8. There are unconfirmed reports that it may be effecting Unix Samba
servers.
9. Analysis of the readme.exe executable indicates that it attempts to
add guest to the local administrators and local guests group. It
attempts to open the c$ drive.We have not found any positive
evidence that this actually worked.
10 Reports that load.exe has been installed as a hidden file that will
launch something after each reboot.
CLEANUP
1. Sources report that NAI has a 'cleaner' tool for this infection at:
http://download.nai.com/products/mcafee-avert/nimda2.exe
We have not verified its effectiveness.
2. SARA has been updated to detect infected home pages and
existence of Admin.dll in specific directories. SARA can be
found at
http://www-arc.com/sara/downloads/sara-3.4.9a.tar.gz
3. All files created/modified after 0600 18 Sep 01 should be
reviewed to confirm that they have not been tampered with.
______________________________________________
Bob Todd
Advanced Research Corporation ®
http://www-arc.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 19:58:14 PDT