It has come to our attention that a message claiming to come from SecurityFocus' ARIS system and TrendMicro is being used to deliver what looks like a trojan horse to unsuspecting users. These messages do not come from us or TrendMicro, as a quick check of the headers will reveal. The messages come with an executable attachment named FIX_NIMDA.exe. Do *NOT* run this attachment. The name is similar to the one used by TrendMicro for their free Nimda removal tool (FIX_NIMDA.com). To say the least we haven't ever sent out any type of executable attachment claiming to be a fix to any worm or vulnerability. And we certainly don't end out email using the brain dead multipart/alternative MIME type. We are still trying to determine what the code does. At first flag it appears to include some type of zip file that when run creates a directory with the called FIX_NIMDA, with the files FIX_NIMDA.exe, readme.txt, SLIDE.DAT, and slide.exe. The readme.txt file is copy of the file distributed by TrendMicro with the their free Nimda disinfection tool. The FIX_NIMDA.exe file is not the same as TrendMicro's but it appears to attempt to deceive the user by printout out some output that makes it appear like it working as advertised. Bellow you can find a sample of the fake message being used to transmit this trojan. If you have receive a similar message we would like to hear from you. Common sense and best practices indicates that you should not execute any code that come via email unless you can authenticate the source of the message. Sadly, as previous worms make all to clear the will be always people that do not follow safe computing practices. Return-Path: <aris-reportat_private> Received: (qmail 24362 invoked from network); 30 Sep 2001 23:46:17 -0000 Received: from corderoatado.arnet.com.ar (HELO dominios2.arnet.com.ar) (200.45.0.3) by gate.bulinfo.net with SMTP; 30 Sep 2001 23:46:17 -0000 Received: from mcdark ([217.228.174.48]) by dominios2.arnet.com.ar with Microsoft SMTPSVC(5.5.1877.357.35); Sun, 30 Sep 2001 20:45:05 -0300 Message-ID: <002901c14a09$f12b6a80$0100a8c0@mcdark> From: <aris-reportat_private> To: <Teratonat_private> Cc: <Teratonat_private>, <ktzenovat_private> Subject: Possible Nimda Worm infection Date: Mon, 1 Oct 2001 01:45:03 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0025_01C14A1A.B058CFA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Return-Path: aris-reportat_private Status: RO Content-Length: 912884 Lines: 11932 This is a multi-part message in MIME format. ------=_NextPart_000_0025_01C14A1A.B058CFA0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0026_01C14A1A.B058CFA0" ------=_NextPart_001_0026_01C14A1A.B058CFA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, This mail is from the ARIS Analyzer Service (Attack Registry and = Intelligence=20 Service) from SecurityFocus in cooperation with Trend Micro = Incorporated. =20 As you are probably aware from the media, the Nimda worm started = spreading. It has come to our attention that your system(s), listed below have been identified as being compromised by the Nimda = Worm. =20 The Nimda Worm is rapidly spreading across the Internet.=20 The addresses identified as belonging to you are as follows: Teratonat_private=20 Teratonat_private ktzenovat_private You can find up to date information on the Nimda Worm at: http://aris.securityfocus.com It is very important that you are checking your Systems that have used = with the identified addresses with the special Anti Nimda Software that we send you with this mail. = (FIX_NIMDA.EXE) It is also important that you are updating all your systems. For this please show at the following URL http://www.microsoft.com/technet/security/bulletin/MS01-020.asp1-26.html The SecurityFocus ARIS Analyst Team aris-reportat_private ------=_NextPart_001_0026_01C14A1A.B058CFA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Hello,<BR>This mail is from the ARIS = Analyzer=20 Service (Attack Registry and Intelligence <BR>Service) from = SecurityFocus in=20 cooperation with Trend Micro Incorporated.<BR> <BR>As you are = probably=20 aware from the media, the Nimda worm started spreading.<BR>It has come = to our=20 attention that your system(s),<BR>listed below have been identified as = being=20 compromised by the Nimda Worm. <BR>The Nimda Worm is rapidly = spreading=20 across the Internet. </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The addresses identified as belonging = to you are as=20 follows:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"mailto:Teratonat_private">Teratonat_private</A> <BR><A=20 href=3D"mailto:Teratonat_private">Teratonat_private</A><BR><A=20 href=3D"mailto:ktzenovat_private">ktzenovat_private</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>You can find up to date information on = the Nimda=20 Worm at:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://aris.securityfocus.com">http://aris.securityfocus.com><= /FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><STRONG>It is very important that you = are checking=20 your Systems that have used with the identified addresses<BR>with the = special=20 Anti Nimda Software that we send you with this mail.=20 (FIX_NIMDA.EXE)</STRONG></FONT></DIV> <DIV><STRONG></STRONG> </DIV> <DIV><FONT face=3DArial size=3D2><STRONG>It is also important that you = are updating=20 all your systems.<BR>For this please show at the following=20 URL</STRONG></FONT></DIV> <DIV><STRONG></STRONG> </DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://www.microsoft.com/technet/security/bulletin/MS01-020.asp1-= 26.html">http://www.microsoft.com/technet/security/bulletin/MS01-020.asp1= -26.html</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The SecurityFocus ARIS Analyst = Team<BR><A=20 href=3D"mailto:aris-reportat_private">aris-reportat_private= om</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML> ------=_NextPart_001_0026_01C14A1A.B058CFA0-- ------=_NextPart_000_0025_01C14A1A.B058CFA0 Content-Type: application/x-msdownload; name="FIX_NIMDA.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="FIX_NIMDA.exe" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAABQRQAATAEGAN7mEzcAAAAAAAAAAOAACgELAQUAADYAAAAgAAAAAAAAgDEA [ rest deleted ] ilE0K1mq81gPxwAAANgAABMAAAAAAAAAAAAgAP+BRW0AAEZJWF9OSU1EQS9zbGlkZS5leGVQSwEC FAAUAAAACAAjDEErh4jB8DkQAABdLQAAFAAAAAAAAAABACAAtoGFNAEARklYX05JTURBL3JlYWRt ZS50eHRQSwECFAAKAAAAAAAqWz0rAAAAAAAAAAAAAAAACgAAAAAAAAAAABAA/0HwRAEARklYX05J TURBL1BLBQYAAAAABQAFAEEBAAAYRQEAAAA= ------=_NextPart_000_0025_01C14A1A.B058CFA0-- -- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 30 2001 - 19:58:37 PDT