Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Our sumary of the NIMDA (CV) worm

From: "Bob Todd" <toddr () arc com>
Date: Tue, 18 Sep 2001 21:28:26 -0400
(BTW this is a compilation of stuff we learned at customer sites
and incidents@securityfocus reports)

INTRODUCTION

The Concept Validation (CV) worm also known as Nimda was
released around 0930 EDT 18 Sep 01.  (Several sources noted that this
was exactly one week after the WTC/Pentagon terrorist attack).
This is probably the most comprehensive worm that we have
experienced to date.  It appears to attack any Microsoft OS product
(except Windows 3.1 and Windows for Workgroups).  The attack
mechanism has been observed in one of three ways:

       1.  Email with an exe binary disguised as a midi/wav file
       2.  A compromise of a web server using directory traversal
       3.  Access of a compromised web server.

As of this date, we know that (1) and (3) involve readme.eml and
readme.exe.  We are not sure of the initial infection binary for (2).
It is important to note that any Microsoft client or server that has been
exposed to any of these environments is probably infected.  At Advanced
Research, we use Outlook Express (patched through Dec 2000) and
we avoided the infection as when the message was read, a dialog box
asked us whether we wanted to execute or save.  We understand that many
Outlook clients may not provide this option defaultly.  The same is
true when Internet Explorer clients connected to infected Web sites.

Bottom line, if you are a Microsoft operating system user, your system
may have been compromised.

DETAILS

The commonly observed infection mechanism is through the execution
of the hidden email binary, readme.exe.  We believe that it produces a
wealth of trojan and backdoor problems that include:

1.  Multiple instances of Admin.dll in Web root directories of msadc
     and/or scripts (and possibly other Web directories that are
     executable).  We do not know what Admin.dll does at this time
     but know that it also may be replicated in c:\, d:\, and/or e:\

2.  Possibly massive numbers of *.eml and *.nws files that were created
     after 0600 EDT on 18 Sep 01 and contain the reference and contents
     of readme.exe

3.  One or more contaminated Web pages that contain a JavaScript
     reference to readme.eml.  This reference ususally occurs at the end
     of the web page(s).  There is a site that APPEARS to be safe to
     test your web browser.  There is a start that is located at:
          http://www.guninski.com/eml-desc.html

     If MS wordpad comes up then you configuration is vulnerable.

4.  It has been reported that infected machines will attempt to send email
     to 202.106.185.107 when the mahcine is rebooted.

5.  It appears that infected machines will launch a comprehensive IIS
     directory traversal attack against random? targets. Where vulnerable,
     it is beleived that targets will be compromised by a similar worm.

6.  In many instances there may be a trojan mmc.exe in c:\winnt.  This
     will be executed anytime explorer.exe is executed.  There may be one
    or more instanced of mep*.exe which have modified or are modifying
    local web pages.

7. There are reports that there are trojaned versions of  riched20.dll
    which could infect notepad and wordpad.

8.  There are unconfirmed reports that it may be effecting Unix Samba
     servers.

9.  Analysis of the readme.exe executable indicates that it attempts to
     add guest to the local administrators and local guests group.  It
     attempts to open the c$ drive.We have not found any positive
     evidence that this actually worked.

10  Reports that load.exe has been installed as a hidden file that will
      launch something after each reboot.

CLEANUP

  1.  Sources report that NAI has a 'cleaner' tool for this infection at:
        http://download.nai.com/products/mcafee-avert/nimda2.exe
       We have not verified its effectiveness.

   2.  SARA has been updated to detect infected home pages and
        existence of Admin.dll in specific directories.  SARA can be
        found at
          http://www-arc.com/sara/downloads/sara-3.4.9a.tar.gz

    3.  All files created/modified after 0600 18 Sep 01 should be
         reviewed to confirm that they have not been tampered with.

______________________________________________
Bob Todd
Advanced Research Corporation ®
http://www-arc.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: