[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [fwd] nimda worm (from bugtraq)



This is a Linux list. Linux users have not to worry about viruses.
Only Micro$oft can be infected....

    Regards,

       Jos.

Tyler Spivey   
> 
> Subj: Nimda Worm
> 
> Hey,
> 
> We have been receiving reports of a new worm from a large number of users.
> Instead of deluging BUGTRAQ with traffic more appropriate for INCIDENTS,
> we are posting a summary of the worm and the vulnerabilities it exploits:
> 
> A new worm named W32/Nimda-A (known aliases are Nimda,
> Minda, Concept V, Code Rainbow) began to proliferate the morning of
> September 18, 2001 on an extremely large scale that targets the Microsoft
> Windows platform.  It attempts to spread via three mechanisms; as an email
> attachment, a web defacement download, and through exploitation of known
> IIS vulnerabilities.  Collateral damage include network performance
> degradation due to high consumption of bandwidth during the propagation
> process.  There have been reports of Apache Servers being inadvertantly
> affected by Nimda by being subjected to a denial of service condition (the
> configuration of these servers is not known).
> 
> This worm takes advantage of multiple vulnerabilities
> and backdoors.  The worm spreads via e-mail and the web.  Through the
> e-mail vector, the worm arrives in the users inbox as a message with a
> variable subject line.  The e-mail contains an attachment named
> 'readme.exe'. This worm formats the e-mail in such a way as to take
> advantage of a hole in older versions of Internet Explorer.  Outlook
> mail clients use the Internet Explorer libraries to display HTML e-mail,
> so by extension Outlook and Outlook Express are vulnerable as well, if
> Internet Explorer is vulnerable.  The hole allows the readme.exe program
> to execute automatically as soon as the e-mail is previewed or read.
> 
> Once it has infected a new victim, it mails copies of itself to other
> potential victims, and begins scanning for vulnerable IIS Web servers.
> When scanning for vulnerable IIS servers, it attempts to exploit the
> Unicode hole (bid 1806) and the escaped characters decoding command
> execution vulnerability (bid 2708).  It also attempts to access
> the system via the root.exe backdoor left by Code Red II.  Once it
> finds a vulnerable IIS server, it installs itself in such a way that
> visitors to the now-infected web site will be sent a copy of a .eml
> file, which is a copy of the e-mail that gets sent.  If the victim is
> using Internet Explorer as their browser, and they are vulnerable to the
> hole, they will execute the readme.exe attachment in the same way as if
> they had viewed an infected e-mail message.
> 
> Attack Data:
> 
> Examination of the worm reveals the following attack strings
> used to exploit IIS Web servers.
> 
> '/scripts/..%255c..'
> '/_vti_bin/..%255c../..%255c../..%255c..'
> '/_mem_bin/..%255c../..%255c../..%255c..'
> '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
> '/scripts/..%c1%1c..'
> '/scripts/..%c0%2f..'
> '/scripts/..%c0%af..'
> '/scripts/..%c1%9c..'
> '/scripts/..%%35%63..'
> '/scripts/..%%35c..'
> '/scripts/..%25%35%63..'
> '/scripts/..%252f..'
> 
> To those strings are added /winnt/system32/cmd.exe?/c+dir
> 
> Other attacks include:
> 
> '/scripts/root.exe?/c+dir'
> '/MSADC/root.exe?/c+dir'
> 
> It is believed that all of the vulnerabilities exploited by this worm are
> known.
> 
> The links below provide fix information.  Administrators and users are
> advised to apply patches as soon as possible.  If further analysis
> concludes that other vulnerabilities are involved, updated information
> will be posted to the list.
> 
> See:
> 
> Bugtraq ID: 2524 / CVE ID: CAN-2001-0154
> Microsoft Security Bulletin MS01-020
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
> VulDB: http://www.securityfocus.com/bid/2524
> 
> Bugtraq ID: 2708 / CVE ID:  CAN-2001-0333
> Microsoft Security Bulletin MS01-026
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp
> VulDB: http://www.securityfocus.com/bid/2708
> 
> Bugtraq ID: 1806 / CVE ID:  CVE-2000-0884
> Microsoft Security Bulletin MS00-078
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp
> http://www.securityfocus.com/bid/1806
> 
> Microsoft IIS Lockdown Tool:
> 
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp
> 
> References:
> 
> Symantec W32 Nimda A mm
> http://www.symantec.com/avcenter/venc/data/w32 nimda a mm html
> 
> McAfee W32/Nimda MM
> http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
> 
> Sophos W32/Nimda-A
> http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
> 
> For discussion of infection or attack attempts, subscribe to the INCIDENTS
> mailing list.  For discussion of the worm itself and others, FORENSICS and
> FOCUS-VIRUS are more appropriate than BUGTRAQ.
> 
> ---
> 
> Dave Ahmad
> Security Focus
> www.securityfocus.com
> 
> 
> 
> _______________________________________________
> Blinux-list mailing list
> Blinux-list redhat com
> https://listman.redhat.com/mailman/listinfo/blinux-list
> 


-- 

   -------------------------------
   Jos Lemmens
   Madoerastraat 78
   3131 ZL  Vlaardingen
   The Netherlands
   Tel.: + 31-(0)10-248 0 266
   E-mail: jos jlemmens nl
   Homepage: www.jlemmens.nl





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]