[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: IIS Worm
- To: <ukha_d@xxxxxxx>
- Subject: RE: IIS Worm
- From: "Mark Hetherington \(egroups\)" <mark.egroups@xxxxxxx>
- Date: Wed, 19 Sep 2001 00:52:17 +0100
- Delivered-to: mailing list ukha_d@xxxxxxx
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
All good but note this worm is Code Rainbow or Nimda (W32.nimda.a.mm), not
Code Red or Blue so the fixes listed might not completely fix a system
exploited by Nimda. Since there are many similarities, then it may work,
but
do not restart IIS after installing these fixes unless you are certain that
the system is once again secure.
Once other recommendation (in addition to comments I made in another post)
is to make sure the web server is just a web server (to prevent
confidential
information being compromised) and the LAN is protected from it. One of the
things about Nimda, is it will attempt to abuse local shares on a LAN. A
webserver should be inside a firewall, but access restrictions to and from
the LAN should also be in place to protect the LAN from a web server based
infection.
Mark.
> -----Original Message-----
> From: Gareth Cook/STA/Lotus [mailto:gcook@xxxxxxx]
> Sent: 18 September 2001 23:03
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] IIS Worm
>
>
> There are two recent hits - first was CodeRed, and last week, CodeBlue
>
> CodeRed
> To remove the worm:
>
>
> Automated Process
>
> Download the Microsoft fix tool. This tool will remove the effects of
the
> Code Red Virus. You still need to apply the IIS patch to prevent
> re-infection.
>
> This tool will reboot Windows 2000 systems. Windows NT systems need
to
> reboot after applying the Microsoft Fix tool. Regardless, please
ensure
> that a reboot has taken place after applying the fix tool.
>
>
> Manual Process
>
> 1. Download, obtain and apply the patch from the following Web site:
>
> http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
>
> 2. Terminate the current process associated with the dropped Trojan
(NAV
> detects this as Trojan.VirtualRoot) by following these steps:
>
>
> 1. Press CTRL-ALT-DELETE and click on Task Manager.
> 2. Click on the tab titled Processes.
> 3. Click on the box titled Image Name to sort the processes
> alphabetically.
> 4. You should find 2 processes titled Explorer.exe, one of them is
> legitimate, the other is the Trojan.
> 5. To insure that the correct process is terminated, from the View
menu
> choose "Select Columns...".
> 6. Once the dialog box opens make sure there is a checkmark in the
"Thread
> Count" box, then select OK.
> 7. A new column will appear in the Task manager listing the current
number
> of threads associated with each process.
> 8. Of the 2 Explorer.exe processes, click on the one which has only 1
> thread.
> 9. Once selected, press the End Process button located at the
> bottom of the
> Task Manager window.
> 10. A warning message will appear, click YES to terminate the process.
> 11. Close the Task Manager by selecting the option End Task Manager
from
> the File menu.
>
>
> 3. Next you must delete the explorer.exe files which have been created
on
> the infected system. These files are hidden, system files which are
read
> only. To delete them, perform the following steps:
>
>
> 1. Open a command prompt by clicking on Start -> Run.
> 2. Type in cmd and hit enter.
> 3. Change to the root directory by typing cd c:\ and hitting enter.
> 4. You will be required to change the attributes on the explorer.exe
file.
> This is done by typing the command attrib -h -s -r explorer.exe
> and hitting
> enter.
> 5. Then type del explorer.exe and hit enter. The Trojan will be
deleted
> from the C drive.
> 6. At the prompt, type d: then hit enter to change to the D drive if
> present.
> 7. Change to the root directory by typing cd d:\ and hitting enter.
> 8. You will be required to change the attributes on the explorer.exe
file.
> This is done by typing the command attrib -h -s -r explorer.exe
> and hitting
> enter.
> 9. Then type del explorer.exe and hit enter. The Trojan will be
deleted
> from the D drive.
> 10. Type exit and hit enter to close the command prompt window.
>
>
> 4. It is safe to delete the following 4 files if they exist (They are
> simply copies of the file %Windir%\root.exe):
> C:\inetpub\Scripts\Root.exe
> D:\inetpub\Scripts\Root.exe
> C:\progra~1\Common~1\System\MSADC\Root.exe
> D:\Progra~1\Common~1\System\MSADC\Root.exe
>
>
> 5. The final step requires modifying the registry to undo the
> changes which
> have been made. Please see the next section titled To edit the
> registry and
> remove keys and changes made by the worm to complete the removal
process.
>
>
> To edit the registry and remove keys and changes made by the worm:
>
> CAUTION: We strongly recommend that you back up the system registry
before
> making any changes. Incorrect changes to the registry can result in
> permanent data loss or corrupted files. Please make sure you modify
only
> the keys specified in this document. For more information about
> how to back
> up the registry, please read How to back up the Windows registry
before
> proceeding with the following steps. If you are concerned that you
cannot
> follow these steps correctly, then please do not proceed. Consult a
> computer technician for more information.
>
> 1. Click Start, and click Run. The Run dialog box appears.
> 2. Type regedit and hit enter to start the Registry editor.
> 3. Navigate to and select the following key:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
> Services\W3SVC\Parameters\Virtual Roots
>
> 4. In the right window pane you will see a number of values. 2 of
these
> values can be deleted entirely as they were created by CodeRed.v3.
>
>
> 1. Select the value
>
> /C
>
> 2. Press Delete and then click Yes to confirm.
> 3. Select the value
>
> /D
>
> 4. Press Delete and then click Yes to confirm.
> 5. Double-click the value
>
> /MSADC
>
> 6. Delete only the digits 217 from the current value data and replace
them
> with the digits 201, then click OK.
> 7. Double-click the value
>
> /Scripts
>
> 8. Delete only the digits 271 from the current value data and replace
them
> with the digits 201, then click OK.
>
>
> 5. Steps 5-7 apply to Windows 2000 systems. Navigate to and select the
> following key:
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
> CurrentVersion\WinLogon
>
> 6. Double-click the value
>
> SFCDisable
>
> 7. Delete the current value data, and then type: 0 (That is, type the
> following character: zero), then click OK.
> 8. Reboot the system to insure that CodeRed.v3 has been properly
removed.
>
>
>
>
>
>
>
> CodeBlue
> Patch availability
>
> NOTE> If you install IIS after the patch is applied, you MUST
reapply the
> Microsoft Patch again
>
> Download locations for this patch
> Windows NT 4.0:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
> Windows 2000 Professional, Server and Advanced Server:
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
> Windows 2000 Datacenter Server:
> Patches for Windows 2000 Datacenter Server are hardware-specific and
> available from the original equipment manufacturer.
> Windows XP beta:
> The vulnerability is eliminated beginning with Windows XP Release
> Candidate
> 1.
>
>
> --------------+---------------------+----------------------+-----
> -------------------
> (Embedded Gareth Cook Office: +44 (0) 1784
> Work: g@xxxxxxx
> image moved Senior Engineering 445 166
> Personal:
> to file: Specialist Mobile: +44 (0) 7980
> g@xxxxxxx
> pic06900.jpg) EMEA ED, IBM SWG 445 166
> AIM Chat : TheBoyG
> Lotus Park, Staines, Fax: +44 (0)
>
> TW18 3AG 1784 499 166
>
> --------------+---------------------+----------------------+-----
> -------------------
>
>
>
> ----- Forwarded by Gareth Cook/STA/Lotus on 18/09/2001 23:00 -----
>
>
> Discussion .
>
> Main Topic
>
> Subject:
>
> "Graham Howe" .
>
> <graham@xxxxxxx> RE: [ukha_d] IIS Worm
>
> Today 21:32 .
>
> Category:
>
>
>
>
>
>
>
>
>
>
> ----------------------+-------------------------------------------
-------------------------------------------
>
>
>
> My server has been hit, any idead what to do about it?
>
> Graham
>
> > -----Original Message-----
> > From: Mark Hetherington (egroups)
> > [mailto:mark.egroups@xxxxxxx]
> > Sent: 18 September 2001 21:02
> > To: ukha_d@xxxxxxx
> > Subject: RE: [ukha_d] IIS Worm
> >
> >
> > A seemingly very prolific one it seems given the huge number of
http
> > requests my PC is getting. (There is a web server there but
> > no tpublished
> > and nothing on it) Getting 4+ attempts per incoming IP so
> > seems likely to be
> > the worm. I have been getting them for a while now but
> > tonight has been
> > almost constant since logon.
> >
> > My Norton Internet Security installation has never been so busy
:)
> >
> > Mark.
> >
> > > -----Original Message-----
> > > From: Broadfoot, Kieran J [mailto:Kieran.Broadfoot@xxxxxxx]
> > > Sent: 18 September 2001 17:40
> > > To: 'ukha_d@xxxxxxx'
> > > Subject: [ukha_d] IIS Worm
> > >
> > >
> > >
> > > Those of you who need to concern yourselves with these
> > kinds of things
> > > probably know but for those who dont you might want to shut
> > down your IIS
> > > servers if you are directly connected to the web right now
> > (w32.nimda.amm)
> > >
> > > There is a rather nasty new worm out and about on a pipe
near you.
> > >
> > > http://slashdot.org/articles/01/09/18/151203.shtml
> > >
> > > Thanks
> > > kieran
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@xxxxxxx
> > > Subscribe: ukha_d-subscribe@xxxxxxx
> > > Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> > > List owner: ukha_d-owner@xxxxxxx
> > >
> > > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> > >
> > >
> > >
> >
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe: ukha_d-subscribe@xxxxxxx
> > Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> > List owner: ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> >
> >
> >
> >
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe: ukha_d-subscribe@xxxxxxx
Unsubscribe: ukha_d-unsubscribe@xxxxxxx
List owner: ukha_d-owner@xxxxxxx
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Home |
Main Index |
Thread Index
|