Return-Path: <sentto-279987-2047-1000865858-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 18 Sep 2001 19:19:10 -0700 (PDT) Received: (qmail 22576 invoked by uid 510); 19 Sep 2001 02:18:03 -0000 Received: from n14.groups.yahoo.com (216.115.96.64) by 204.181.12.215 with SMTP; 19 Sep 2001 02:18:03 -0000 X-eGroups-Return: sentto-279987-2047-1000865858-fc=all.net@returns.onelist.com Received: from [10.1.4.56] by jk.egroups.com with NNFMP; 19 Sep 2001 02:17:38 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 19 Sep 2001 02:17:37 -0000 Received: (qmail 51344 invoked from network); 19 Sep 2001 02:17:37 -0000 Received: from unknown (10.1.10.142) by l10.egroups.com with QMQP; 19 Sep 2001 02:17:37 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 19 Sep 2001 02:17:36 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id TAA16765 for iwar@onelist.com; Tue, 18 Sep 2001 19:17:33 -0700 Message-Id: <200109190217.TAA16765@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 18 Sep 2001 19:17:32 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Details.on.the.worm] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hey, We have been receiving reports of a new worm from a large number of users. Instead of deluging BUGTRAQ with traffic more appropriate for INCIDENTS, we are posting a summary of the worm and the vulnerabilities it exploits: A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept V, Code Rainbow) began to proliferate the morning of September 18, 2001 on an extremely large scale that targets the Microsoft Windows platform. It attempts to spread via three mechanisms; as an email attachment, a web defacement download, and through exploitation of known IIS vulnerabilities. Collateral damage include network performance degradation due to high consumption of bandwidth during the propagation process. There have been reports of Apache Servers being inadvertantly affected by Nimda by being subjected to a denial of service condition (the configuration of these servers is not known). This worm takes advantage of multiple vulnerabilities and backdoors. The worm spreads via e-mail and the web. Through the e-mail vector, the worm arrives in the users inbox as a message with a variable subject line. The e-mail contains an attachment named 'readme.exe'. This worm formats the e-mail in such a way as to take advantage of a hole in older versions of Internet Explorer. Outlook mail clients use the Internet Explorer libraries to display HTML e-mail, so by extension Outlook and Outlook Express are vulnerable as well, if Internet Explorer is vulnerable. The hole allows the readme.exe program to execute automatically as soon as the e-mail is previewed or read. Once it has infected a new victim, it mails copies of itself to other potential victims, and begins scanning for vulnerable IIS Web servers. When scanning for vulnerable IIS servers, it attempts to exploit the Unicode hole (bid 1806) and the escaped characters decoding command execution vulnerability (bid 2708). It also attempts to access the system via the root.exe backdoor left by Code Red II. Once it finds a vulnerable IIS server, it installs itself in such a way that visitors to the now-infected web site will be sent a copy of a .eml file, which is a copy of the e-mail that gets sent. If the victim is using Internet Explorer as their browser, and they are vulnerable to the hole, they will execute the readme.exe attachment in the same way as if they had viewed an infected e-mail message. Attack Data: Examination of the worm reveals the following attack strings used to exploit IIS Web servers. '/scripts/..%255c..' '/_vti_bin/..%255c../..%255c../..%255c..' '/_mem_bin/..%255c../..%255c../..%255c..' '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%' '/scripts/..%c1%1c..' '/scripts/..%c0%2f..' '/scripts/..%c0%af..' '/scripts/..%c1%9c..' '/scripts/..%%35%63..' '/scripts/..%%35c..' '/scripts/..%25%35%63..' '/scripts/..%252f..' To those strings are added /winnt/system32/cmd.exe?/c+dir Other attacks include: '/scripts/root.exe?/c+dir' '/MSADC/root.exe?/c+dir' It is believed that all of the vulnerabilities exploited by this worm are known. The links below provide fix information. Administrators and users are advised to apply patches as soon as possible. If further analysis concludes that other vulnerabilities are involved, updated information will be posted to the list. See: Bugtraq ID: 2524 / CVE ID: CAN-2001-0154 Microsoft Security Bulletin MS01-020 <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp> VulDB: http://www.securityfocus.com/bid/2524 Bugtraq ID: 2708 / CVE ID: CAN-2001-0333 Microsoft Security Bulletin MS01-026 <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp> VulDB: http://www.securityfocus.com/bid/2708 Bugtraq ID: 1806 / CVE ID: CVE-2000-0884 Microsoft Security Bulletin MS00-078 <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp> <a href="http://www.securityfocus.com/bid/1806">http://www.securityfocus.com/bid/1806> Microsoft IIS Lockdown Tool: <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp> References: Symantec W32.Nimda.A@mm <a href="http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html">http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html> McAfee W32/Nimda@MM <a href="http://vil.nai.com/vil/virusSummary.asp?virus_k=99209">http://vil.nai.com/vil/virusSummary.asp?virus_k=99209> Sophos W32/Nimda-A <a href="http://www.sophos.com/virusinfo/analyses/w32nimdaa.html">http://www.sophos.com/virusinfo/analyses/w32nimdaa.html> For discussion of infection or attack attempts, subscribe to the INCIDENTS mailing list. For discussion of the worm itself and others, FORENSICS and FOCUS-VIRUS are more appropriate than BUGTRAQ. --- Dave Ahmad Security Focus www.securityfocus.com ------------------------ Yahoo! Groups Sponsor ---------------------~--> Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for Business" and learn all about serious security. Get it Now! http://us.click.yahoo.com/r0k.gC/oT7CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT