[Snort-users] Shut them down, I have had enough...

Xno Xutz xnoxutz at ...131...
Wed Sep 19 02:49:08 EDT 2001


this may be the MIMDA/NIMDA thing. If you have not
seen this yet, here an advisory.



-----Mensagem original-----
De: CERT Advisory [mailto:cert-advisory at ...241...]
Enviada em: terça-feira, 18 de setembro de 2001 20:32
Para: cert-advisory at ...241...
Assunto: CERT Advisory CA-2001-26


CERT Advisory CA-2001-26 Nimda Worm

   Original release date: September 18, 2001
   Source: CERT/CC

   A complete revision history is at the end of this

Systems Affected

     * Systems running Microsoft Windows 95, 98, ME,
NT, and 2000


   The  CERT/CC  has  received reports of new
malicious code known as the
   "W32/Nimda  worm"  or  the  "Concept  Virus  (CV) 
v.5." This new worm
   appears to spread by multiple mechanisms:

     * from client to client via email

     * from client to client via open network shares

     * from web server to client via browsing of
compromised web sites

     * from client to web server via active scanning
for and exploitation
       of the "Microsoft IIS 4.0 / 5.0 directory
traversal" vulnerability
       (VU #111677)

     * from  client  to  web  server via scanning for
the back doors left
       behind  by  the  "Code  Red  II"  (IN-2001-09),
 and "sadmind/IIS"
       (CA-2001-11) worms

   Initial  analysis  indicates  that  the  worm 
contains no destructive
   payload  beyond  modification  of  web  content  to
facilitate its own

   We  are  also  receiving  reports  of denial of
service as a result of
   network scanning and email propagation.

I. Description

   The  Nimda  worm  has  the  potential to affect
both user workstations
   (clients)  running Windows 95, 98, ME, NT, or 2000
and servers running
   Windows NT and 2000.

   Email Propagation

   This    worm   propagates   through   email  
arriving   as   a   MIME
   "multipart/alternative"  message consisting of two
sections. The first
   section  is defined as MIME type "text/html", but
it contains no text,
   so the email appears to have no content. The second
section is defined
   as   MIME   type  "audio/x-wav",  but  it  contains
 a  base64-encoded
   attachment named "readme.exe", which is a binary

   Due to a vulnerability described in CA-2001-06
(Automatic Execution of
   Embedded  MIME  Types),  any  mail software running
on an x86 platform
   that  uses  Microsoft  Internet Explorer 5.5 SP1 or
earlier (except IE
   5.01  SP2)  to  render  the  HTML mail
automatically runs the enclosed
   attachment and, as result, infects the machine with
the worm. Thus, in
   vulnerable  configurations,  the  worm  payload 
will automatically be
   triggered  by  simply opening (or previewing) this
mail message. As an
   executable binary, the payload can also be
triggered by simply running
   the attachment.

   The  email  message delivering the Nimda worm
appears to also have the
   following characteristics:

     * The  text  in  the  subject line of the mail
message appears to be
       variable,  but  those  seen  to  date have been
over 80 characters

     * There  appear  to  be  many slight variations
in the attach binary
       file,  causing  the MD5 checksum to be
different when one compares
       different  attachments from different email
messages. However, the
       file  length  of  the  attachment appears to
consistently be 57344


   Infected  client machines attempt to send copies of
the Nimda worm via
   email to all addresses found in the Windows address

   Likewise,  the  client  machines  begin  scanning 
for  vulnerable IIS
   servers.  Nimda  looks  for backdoors left by
previous IIS worms: Code
   Red  II  [IN-2001-09]  and  sadmind/IIS  worm 
[CA-2001-11].  It  also
   attempts  to  exploit  the  IIS  Directory
Traversal vulnerability (VU
   #111677). The selection of potential target IP
addresses follows these
   rough probabilities:

     * 50% of the time, an address with the same first
two octets will be

     * 25%  of  the  time,  an  address with the same
first octet will be

     * 25% of the time, a random address will be

   The  infected client machine transfers a copy of
the Nimda code to any
   server  that  it scans and finds to be vulnerable.
Once running on the
   server  machine,  the  worm  traverses  each 
directory  in the system
   (including  all  those  accessible  through a file
shares) and write a
   copy  of  itself to disk using the name
"README.EML". When a directory
   containing  web  content  (e.g.,  HTML  or  ASP 
files)  is found, the
   following snippet of Javascript code is appended to
every one of these
   web-related files:

   <script language="JavaScript">
   window.open("readme.eml", null,

   This  modification  of  web  content allows further
propagation of the
   worm  to  new  clients through a browser or
browsing of a network file

   Browser Propagation

   As  part  of  the  infection  process, the Nimda
worm modifies all web
   content  files  it  finds  (including,  but not
limited to, files with
   .htm,  .html, and .asp extensions). As a result,
any user browsing web
   content  on  the  system,  whether  via  the  file
system or via a web
   server,   may   download  a  copy  of  the  worm. 
Some  browsers  may
   automatically  execute  the  downloaded  copy, 
thereby  infecting the
   browsing system.

   File System Propagation

   The  Nimda  worm  creates  numerous  copies  of
itself (using the name
   README.EML)  in  all  writable directories
(including those found on a
   network  share)  to  which  the  user has access.
If a user on another
   system  subsequently  selects  the copy of the worm
file on the shared
   network drive in Windows Explorer with the preview
option enabled, the
   worm may be able to compromise that system.

   System FootPrint

   The  scanning  activity  of  the Nimda worm
produces the following log
   entries for any web server listing on port 80/tcp:

   GET /scripts/root.exe?/c+dir
   GET /MSADC/root.exe?/c+dir
   GET /c/winnt/system32/cmd.exe?/c+dir
   GET /d/winnt/system32/cmd.exe?/c+dir
   GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
   GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
   GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
   GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
   GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

   Note:  The  first four entries in these sample logs
denote attempts to
   connect  to  the backdoor left by Code Red II,
while the remaining log
   entries  are  examples of exploit attempts for the
Directory Traversal

II. Impact

   Intruders  can  execute  arbitrary  commands 
within  the  LocalSystem
   security  context  on  machines running the
unpatched versions of IIS.
   Host  that have been compromised are also at high
risk for being party
   to attacks on other Internet sites.

   The  high  scanning  rate  of  the Nimda worm may
also cause bandwidth
   denial-of-service conditions on networks with
infected machines.

III. Solutions

   Recommendations for System Administrators of IIS

   To  determine  if  your  system  has  been 
compromised,  look for the

     * root.exe  artifact  (indicates  a  compromise 
by  Code  Red II or
       sadmind/IIS worms making the system vulnerable
to the Nimda worm)

     * admin.dll  artifact  or  unexpected  .eml files
in the directories
       with web content (indicates compromise by the
Nimda worm)

   The  only  safe way to recover from the system
compromise is to format
   the  system  drive(s)  and  reinstall the system
software from trusted
   media  (such  as  vendor-supplied  CD-ROM). 
Additionally,  after  the
   software  is reinstalled, all vendor-supplied
security patches must be
   applied.  The  recommended  time to do this is
while the system is not
   connected  to  any  network.  However,  if
sufficient care is taken to
   disable   all  server  network  services,  then 
the  patches  can  be
   downloaded from the Internet.

   Detailed  instructions  for recovering your system
can be found in the
   CERT/CC tech tip:

          Steps for Recovering from a UNIX or NT
System Compromise

   Apply the appropriate patch from your vendor

   A   cumulative   patch   which   addresses   all 
of  the  IIS-related
   vulnerabilities   exploited  by  the  Nimda  worm 
is  available  from
   Microsoft at


   Recommendations for End User Systems

   Apply the appropriate patch from your vendor

   If you are running a vulnerable version of Internet
Explorer (IE), the
   CERT/CC  recommends  applying  patch  for  the
"Automatic Execution of
   Embedded MIME Types" vulnerability available from
Microsoft at


   Run and Maintain an Anti-Virus Product

   It  is  important  for users to update their
anti-virus software. Most
   anti-virus  software vendors have released updated
information, tools,
   or  virus  databases  to  help  detect and
partially recover from this
   malicious  code.  A list of vendor-specific
anti-virus information can
   be found in Appendix A.

   Many   anti-virus   packages   support   automatic 
updates  of  virus
   definitions.   We   recommend   using  these 
automatic  updates  when

   Don't open e-mail attachments

   The  Nimda  worm may arrive as an email attachment
named "readme.exe".
   Users should not open this attachment.

   Disable  JavaScript  End-user  systems  can become
infected with the
   Nimda  worm  by  browsing  web  sites hosted by
infected servers. This
   method  of  infection requires the use of
JavaScript to be successful.
   Therefore,  the  CERT/CC  recommends  that  end 
user  systems disable

Appendix A. Vendor Information

   Antivirus Vendor Information

   Central Command, Inc.


   Command Software Systems


   Data Fellows Corp








   Trend Micro



   You  may  wish  to  visit  the CERT/CC's computer
virus resources page
   located at 


   Authors:   Roman  Danyliw,  Chad  Dougherty,  Allen
Householder, Robin

   This document is available from:

CERT/CC Contact Information

   Email: cert at ...241...
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT  personnel answer the hotline 08:00-20:00
   Monday  through  Friday; they are on call for
emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive
information sent by email.
   Our public PGP key is available from


   If  you  prefer  to  use  DES,  please  call the
CERT hotline for more

Getting security information

   CERT  publications  and  other security information
are available from
   our web site


   To  be  added  to  our mailing list for advisories
and bulletins, send
   email   to   cert-advisory-request at ...241...   and  
include  SUBSCRIBE
   your-email-address in the subject of your message.

   *  "CERT"  and  "CERT  Coordination Center" are
registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon
University and the Software
   Engineering  Institute  is  furnished  on  an  "as
is" basis. Carnegie
   Mellon University makes no warranties of any kind,
either expressed or
   implied  as  to  any matter including, but not
limited to, warranty of
   fitness  for  a  particular purpose or
merchantability, exclusivity or
   results  obtained from use of the material.
Carnegie Mellon University
   does  not  make  any warranty of any kind with
respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship

   Copyright 2001 Carnegie Mellon University.

   Revision History

   September 18, 2001: Initial Release

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information

More information about the Snort-users mailing list