From: C y b e r T e c h @ L i s t s . E x M a c h i n a . n e t
<http://www.cybercafe21.net> & <http://www.cybercafe21.tv>
C'est le nouveau virus...
Apr�s Code Red, voici... NIMDA
Repiqu� de la liste CC21 :
-----Message d'origine-----
De : Olivier Van Loo
Envoy� : mardi 18 septembre 2001 18:08
� : CyberCafe21
Objet : [CC21] NEW Virus , out wild and dangerous W32.nimda.a.mm
Pour info
Je viens de recevoir une alerte de notre noc.
Olivier
Nimda: W32.nimda.a.mm
Publish Date: September 18, 2001
Publish Time: 1119 EDT
Initial Assessment Date: September 18, 2001
Initial Assessment Time: 1000 EDT
RISK INDICES:
Initial Assessment: Red Hot
Current Assessment: Red Hot
Threat: High ( Growing The rate of growth and spread is exceedingly
rapid - significantly faster than any worm to date and significantly faster
than any variant of Code red. )
Vulnerability Prevalence: High ( effects IIS servers version 4.0, 5.0,
and internal networks. Milllions of Internet Web server hosts: TruSecure
process and essential configurations should generally be protective. The
vulnerability prevalence world-wide is very high )
Cost: High ( command execution is possible )
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5 box
with well known vulnerabilities. We believe that there are nearly 1Million
such machines currently exposed to the Internet.
DETAILED DESCRIPTION:
The worm itself is a file called README.EXE, or ADMIN.DLL a 56K file
which is advertised as an audio xwave mime type file.
Other RISKS:
There is risk of DOS of network segments by traffic volume alone There
is large risk of successful attack to both Internet exposed IIS boxes and to
developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes of
infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade Center
attack .
REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for sure
at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.
MITIGATIONS:
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of any
version (many do so by default if either. Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments. Update
anti-virus when your vendor has the signature.
More Mitigations to follow, and additional information from TruSecure.
COMMUNICATION:
Please contact your TruSecure analyst if you have any questions or if
you see actual attempts to exploit this vulnerability.
TruSecure Corporation provides information security assurance services
including TruSecure which significantly reduces the likelihood of
participating companies having information security breaches in six areas of
risk: Electronic (hacking and related) risk, Malicious Code risk (virus,
Trojan worm and related), Privacy risk, Downtime risk, Physical risk and
Human Factors risk. See www.trusecure.com for further information on these
services.
DISCLAIMER:
Copyright 2001 TruSecure Corporation. All rights reserved. This Alert
is the property of the TruSecure Corporation. It may not be redistributed
except within your own company or organization. This Alert is being provided
for informational purposes only and is provided AS IS."The TruSecure
Corporation makes no warranties of any kind, express or implied, including,
but not limited to warranties of merchantability, fitness for a particular
purpose, non-infringement, and warranties arising out of any course of
dealing or course of conduct.
Impenetrable security is unattainable in real world environments; the
TruSecure Corporation cannot and does not guarantee protection against
breaches of security.
IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS
INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND,
HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE
INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR
OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
------------------
Sydney Bogaert
Network Admin.
IGRETEC
A cynic is a blackguard whose faulty vision sees things as they are, not as
they ought to be. - Bierce
> -----Message d'origine-----
> De : Electron [mailto:[EMAIL PROTECTED]]
> Envoy� : mardi 18 septembre 2001 20:11
> � : CyberTech
> Objet : [CCTK] Houla
>
>
> From: C y b e r T e c h @ L i s t s . E x M a c h i n a . n e t
> <http://www.cybercafe21.net> & <http://www.cybercafe21.tv>
>
> Salut Electron,
>
> Tuesday, September 18, 2001, 7:57:19 PM, you wrote:
>
> Houla, le net etant tres lent (meme le site de microsoft est
> anormalement lent, je regarde dans les logs de mon petit serveur
> apache....je me dis (en ayant un gros doute) que peut etre que le
> virus code red met les serveur a genoux...
>
> ET qu'est-ce que je vois !
>
> DESOLE, c'est un peu long mais voyez l'heure des connexions !
>
> [Tue Sep 18 18:10:54 2001] [error] [client 217.153.49.51]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/default.ida
> [Tue Sep 18 18:11:02 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/root.exe
> [Tue Sep 18 18:11:02 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/root.exe
> [Tue Sep 18 18:11:03 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/c/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:03 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/d/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:03 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:03 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:03 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:04 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/..%5c/..%5c/..%5c/..��/..��/..��/wi
> nnt/system32/cmd.exe
> [Tue Sep 18 18:11:04 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:04 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:04 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..�oe/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:05 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:11:05 2001] [error] [client 217.13.79.165]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%2f/winnt/system32/cmd.exe
> [Tue Sep 18 18:42:37 2001] [error] [client 217.154.27.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/root.exe
> [Tue Sep 18 18:42:37 2001] [error] [client 217.154.27.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/root.exe
> [Tue Sep 18 18:42:37 2001] [error] [client 217.154.27.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/c/winnt/system32/cmd.exe
> [Tue Sep 18 18:42:37 2001] [error] [client 217.154.27.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/d/winnt/system32/cmd.exe
> [Tue Sep 18 18:42:37 2001] [error] [client 217.154.27.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:42:38 2001] [error] [client 217.154.27.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:42:38 2001] [error] [client 217.154.27.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:20 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/root.exe
> [Tue Sep 18 18:58:24 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/root.exe
> [Tue Sep 18 18:58:25 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/c/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:28 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/d/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:28 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:32 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:32 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:42 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/..%5c/..%5c/..%5c/..��/..��/..��/wi
> nnt/system32/cmd.exe
> [Tue Sep 18 18:58:42 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:47 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:47 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..�oe/winnt/system32/cmd.exe
> [Tue Sep 18 18:58:56 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:01 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/root.exe
> [Tue Sep 18 18:59:01 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/root.exe
> [Tue Sep 18 18:59:02 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/c/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:03 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/d/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:03 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:04 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:04 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:05 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/..%5c/..%5c/..%5c/..��/..��/..��/wi
> nnt/system32/cmd.exe
> [Tue Sep 18 18:59:06 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:06 2001] [error] [client 217.225.115.108]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%2f/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:07 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:07 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..�oe/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:09 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 18:59:10 2001] [error] [client 217.162.53.27]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%2f/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:27 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/root.exe
> [Tue Sep 18 19:26:27 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/root.exe
> [Tue Sep 18 19:26:27 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/c/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:28 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/d/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:28 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:28 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:28 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:28 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/..%5c/..%5c/..%5c/..��/..��/..��/wi
> nnt/system32/cmd.exe
> [Tue Sep 18 19:26:29 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:29 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:29 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..�oe/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:30 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 19:26:30 2001] [error] [client 217.5.182.58] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%2f/winnt/system32/cmd.exe
> [Tue Sep 18 19:28:15 2001] [error] [client 217.87.21.25] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/root.exe
> [Tue Sep 18 19:28:21 2001] [error] [client 217.87.21.25] File
> does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/root.exe
> [Tue Sep 18 19:59:16 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/root.exe
> [Tue Sep 18 19:59:17 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/root.exe
> [Tue Sep 18 19:59:20 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/root.exe
> [Tue Sep 18 19:59:24 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/c/winnt/system32/cmd.exe
> [Tue Sep 18 19:59:32 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/d/winnt/system32/cmd.exe
> [Tue Sep 18 19:59:37 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 19:59:41 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 19:59:49 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
> [Tue Sep 18 19:59:54 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/msadc/..%5c/..%5c/..%5c/..��/..��/..��/wi
> nnt/system32/cmd.exe
> [Tue Sep 18 19:59:59 2001] [error] [client 217.170.161.16]
> File does not exist: c:/program files/apache
> group/apache/wwwroot/scripts/..��/winnt/system32/cmd.exe
>
> Ca serait ty pas la raison d'un net un peu lent !
>
>
> ------------
> Bien a vous,
> Electron
>
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> CCTK vous est offert par Emakina <http://www.emakina.com>
> Pour vous desabonner <mailto:[EMAIL PROTECTED]>
>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CCTK vous est offert par Emakina <http://www.emakina.com>
Pour vous desabonner <mailto:[EMAIL PROTECTED]>
