The UK Home Automation Archive

Archive Home

Group Home

Search Archive
Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IIS Worm

To: ukha_d@xxxxxxx
Subject: RE: IIS Worm
From: "Andy Powell" <ukha@xxxxxxx>
Date: Wed, 19 Sep 2001 20:45:48 +0200
Delivered-to: mailing list ukha_d@xxxxxxx
Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
References: <000801c14080$da31e8a0$2701a8c0@xxxxxxx>
Reply-to: ukha_d@xxxxxxx

Here is some info...

Andy

Name:       Win32.Nimda.A@mm
Aliases:    W32/Nimda.A
Type:       File Infector & Internet Worm, written in Visual C=20
language
Size:       57344 bytes
Risk:       High
ITW:        Yes

Description:

This virus comes through e-mail as an attached file, with the=20
body of the mail apparently empty but which actually contains=20
code to use an exploit which will execute the virus when the user=20
just view the message (if is using Outlook or Outlook Express=20
without latest Service Packs or patches from Microsoft). When is=20
installed it copies itself in the system directory with the name=20
load.exe. Also it copies over the library riched20.dll modifying=20
itself to be loaded as a DLL (Dinamically Link Library). This DLL=20
is used by applications that work with Richedit Text Format such=20
as Wordpad.=20=20

To be activated at every reboot the virus modifies system.ini in=20
the boot section by writing the following line: shell=3Dexplorer.exe
load.exe -dontrunold=20=20

In Windows NT/200 the virus attaches a thread to explorer.exe to=20
run its viral code and in Windows 95/98/ME it registers itself as a=20
service process. With these actions the virus remain invisible to=20
the user.=20=20

To spread it uses MAPI (Mailing API) functions to read user=92s e-
mails from where it extracts SMTP (Simple Mail Transfer=20
Protocol) server addresses and e-mail addresses. It is able also=20
to send e-mails without MAPI functions, but connecting directly=20
to a SMTP server.=20=20

Another method to spread is by using Unicode Web Traversal=20
exploit similar to CodeBlue. Information and a patch for this=20
exploit are located at=20
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp=20
The virus creates 200 threads and tries to send itself, using the=20
specified exploit, to an IIS server. Using this exploit the virus gets=20
control of the execution flow on that server and download itself=20
under the name admin.dll, then puts a HTML code in the web=20
page hosted by the IIS server to download the virus. To do this it=20
tries to modify the files with the name: index, main, default and=20
with the extension one of: .html .htm .asp=20=20

Also the virus enumerates the network resources visible to the=20
infected computer and tries to copy in shares.=20=20

When running in Windows NT/2000, the virus is capable of=20
infecting files by attaching the executable as a resource with raw=20
data named f in the virus program. When the infected file is=20
executed the virus has the control and executes the original file=20
so the user doesn=92t notice anything unusual. This is
accomplished by dropping that f resource in a file with the same=20
name as the original but with a space appended, followed by=20
..exe.The virus reads from registry the keys contained in:=20
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVe
rsion\App Paths This key contains the paths to all applications=20
installed in the system. One exception of the infection routine is=20
that the virus avoids infecting the file winzip32.exe.=20=20

Also, when running under NT, the virus creates the user guest=20
with no password and add it to the Administrator group. It creates=20
a share for every root directory (from C to Z) with all access=20
rights.=20=20

The virus is able to disable the proxy by modifying the keys:=20
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
sion\Interne t Settings\MigrateProxy 1=20
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
sion\Interne t Settings\ProxyEnable 0=20
HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\Current
Version\Inter net Settings\ProxyEnable 0=20=20

Leaving the library riched20.dll overwritten by the virus will=20
reactivate it when a program using this library is executed.=20=20

As a signature the following text can be found in the file: Concept=20
Virus(CV) V.5, Copyright(C)2001 R.P.China=20

*********** REPLY SEPARATOR  ***********

On 18/09/01 at 21:31 Graham Howe wrote:

>My server has been hit, any idead what to do about it?
>
>Graham
>
>> -----Original Message-----
>> From: Mark Hetherington (egroups)
>> [mailto:mark.egroups@xxxxxxx]
>> Sent: 18 September 2001 21:02
>> To: ukha_d@xxxxxxx
>> Subject: RE: [ukha_d] IIS Worm
>>=20
>>=20
>> A seemingly very prolific one it seems given the huge number of
http
>> requests my PC is getting. (There is a web server there but=20
>> no tpublished
>> and nothing on it) Getting 4+ attempts per incoming IP so=20
>> seems likely to be
>> the worm. I have been getting them for a while now but=20
>> tonight has been
>> almost constant since logon.
>>=20
>> My Norton Internet Security installation has never been so busy :)
>>=20
>> Mark.
>>=20
>> > -----Original Message-----
>> > From: Broadfoot, Kieran J [mailto:Kieran.Broadfoot@xxxxxxx]
>> > Sent: 18 September 2001 17:40
>> > To: 'ukha_d@xxxxxxx'
>> > Subject: [ukha_d] IIS Worm
>> >
>> >
>> >
>> > Those of you who need to concern yourselves with these=20
>> kinds of things
>> > probably know but for those who dont you might want to
shut=20
>> down your IIS
>> > servers if you are directly connected to the web right now=20
>> (w32.nimda.amm)
>> >
>> > There is a rather nasty new worm out and about on a pipe near
you.
>> >
>> > http://slashdot.org/articles/01/09/18/151203.shtml
>> >
>> > Thanks
>> > 	kieran
>> >
>> > For more information: http://www.automatedhome.co.uk
>> > Post message: ukha_d@xxxxxxx
>> > Subscribe:  ukha_d-subscribe@xxxxxxx
>> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
>> > List owner:  ukha_d-owner@xxxxxxx
>> >
>> > Your use of Yahoo! Groups is subject to=20
>> http://docs.yahoo.com/info/terms/
>> >
>> >
>> >
>>=20
>>=20
>> For more information: http://www.automatedhome.co.uk=20
>> Post message: ukha_d@xxxxxxx=20
>> Subscribe:  ukha_d-subscribe@xxxxxxx=20
>> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx=20
>> List owner:  ukha_d-owner@xxxxxxx=20
>>=20
>> Your use of Yahoo! Groups is subject to=20
>> http://docs.yahoo.com/info/terms/=20
>>=20
>>=20
>>=20
>>=20
>
>
>For more information: http://www.automatedhome.co.uk=20
>Post message: ukha_d@xxxxxxx=20
>Subscribe:  ukha_d-subscribe@xxxxxxx=20
>Unsubscribe:  ukha_d-unsubscribe@xxxxxxx=20
>List owner:  ukha_d-owner@xxxxxxx=20
>
>Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

--- Tag-it! v2.0 (c) Andy Powell 1998

This tagline is guaranteed dolphin-free.

Follow-Ups:
- WARNING: Showshifter!
  - From: "Andy Powell" <ukha@xxxxxxx>

References:
- RE: IIS Worm
  - From: "Graham Howe" <graham@xxxxxxx>

Prev by Date: RE: Re: IIS Worm
Next by Date: RE: Schadenfreude
Previous by thread: Re: IIS Worm
Next by thread: WARNING: Showshifter!
Index(es):
- Date
- Thread

Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.