Re: lug-bg: nov opasen virus Nimda

[qsin@xxxxxxxxxxxx (Yavor Atanasov)]

Vchera go poluchih. Svalih update-a na Norton i pak ne go razpozna kato
virus.
Takc he umnata.

Yavor Atanasov

----- Original Message -----
From: "Boyan Krosnov" <bkrosnov@xxxxxxxx>
To: <lug-bg@xxxxxxxxxxxxxxxxxx>
Sent: Wednesday, September 19, 2001 1:37 PM
Subject: lug-bg: nov opasen virus Nimda

> za kojto oshte ne e chul
>
> -----Original Message-----
> From: Jensenne Roculan [mailto:jroculan@xxxxxxxxxxxxxxxxx]
> Sent: Tuesday, September 18, 2001 9:09 PM
> To: incidents@xxxxxxxxxxxxxxxxx
> Cc: forensics@xxxxxxxxxxxxxxxxx; focus-ids@xxxxxxxxxxxxxxxxx
> Subject: Nimda Worm Alert
>
>
> The PDF version of this alert will be posted on ARIS analyzer and
> predictor shortly (http://aris.securityfocus.com,
> https://aris.securityfocus.com/predictor)
>
> Incident Analysis Alert
> Version 1
> September 18, 2001, 18:00 UDT
>
> Executive Summary
> -----------------
>
> A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept
> Virus, Code Rainbow) began to proliferate the morning of September 18,
> 2001 on an extremely large scale.  It utilizes multiple IIS
> vulnerabilities to propagate via the web, and Outlook and Outlook
> Express
> vulnerabilities to distribute itself through email.  It spreads through
> three different means; as an email attachment, a web defacement
> download,
> and by directly targeting machines by exploiting known IIS
> vulnerabilities
> such as the ones exploited by Code Red and Code Blue.  There has been
> one
> report thus far of an Apache Server crashing due to Nimda terminating
> httpd processes.  No further corroboration has been made that this worm
> may have in the inadvertent affect of creating a denial of service
> condition on Apache Servers.  Multiple sources have confirmed that this
> worm consumes a large amount of bandwidth and impaired performance on
> web
> servers is a result.  It should be noted that this worm began to
> proliferate almost exactly a week since the terrorist activities began
> to
> take place in the United States.
>
> Currently, anti-virus software does not detect this worm due to the
> recent
> nature of its proliferation.
>
> The Nimda Worm exploits the following vulnerabilities:
>
> Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
> http://www.securityfocus.com/bid/1565
>
> Microsoft IIS/PWS Escaped Characters Decoding Command Execution
> Vulnerability
> http://www.securityfocus.com/bid/1806
>
> Microsoft IE MIME Header Attachment Execution Vulnerability
> http://www.securityfocus.com/bid/2524
>
> Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
> http://www.securityfocus.com/bid/2708
>
> Microsoft Index Server and Indexing Service ISAPI Extension Buffer
> Overflow Vulnerability
> http://www.securityfocus.com/bid/2880
>
> Action Items
> ------------
> Apply the appropriate patches listed in the 'Patches' section below.  In
> addition, any IIS servers still vulnerable to the Unicode hole, or that
> have the root.exe backdoor present should be taken off-line until they
> can
> be rebuilt.
>
> Associated Vulnerability:
> Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
> Microsoft IIS/PWS Escaped Characters Decoding Command Execution
> Vulnerability
> Microsoft IE MIME Header Attachment Execution Vulnerability
> Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
> Microsoft Index Server and Indexing Service ISAPI Extension Buffer
> Overflow Vulnerability
>
> Associated Bugtraq ID: 1565, 1806, 2524, 2708, 2880
>
> Urgency: High
>
> Ease of Exploit: Automatic
>
> Associated Operating Systems: Microsoft Windows NT 4.0, Windows 2000
>
> Technical Overview
> ------------------
> This worm takes advantage of two vulnerabilities, and one backdoor.  The
> worm spreads via e-mail and the web.  For the e-mail vector, it arrives
> in
> the user's inbox as a message with a variable subject line.  In the
> e-mail, there is an attachment named readme.exe.  This worm formats the
> e-mail in such a way as to take advantage of a hole in older versions of
> Internet Explorer.  Outlook mail clients use the Internet Explorer
> libraries to display HTML e-mail, so by extension Outlook and Outlook
> Express are vulnerable as well, if Internet Explorer is vulnerable.  The
> hole allows the readme.exe program to execute automatically as soon as
> the
> e-mail is previewed or read.
>
> Once it has infected a new victim, it mails copies of itself to other
> potential victims, and begins scanning for vulnerable IIS Web servers.
> When scanning for vulnerable IIS servers, it uses both the Unicode hole
> as
> well as trying the root.exe backdoor left by Code Red II.  Once it finds
> a
> vulnerable IIS server, it installs itself in such a way that visitors to
> the now-infected web site will be sent a copy of a .eml file, which is a
> copy of the e-mail that gets sent.  If the victim is using Internet
> Explorer as their browser, and they are vulnerable to the hole, they
> will
> execute the readme.exe attachment in the same way as if they had viewed
> an
> infected e-mail message.
>
> Corroboration
> -------------
> Multiple Anti-Virus vendors have released an alert on this worm:
>
> McAfee
> http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
>
> Sophos
> http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
>
>
> Symantec
> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@xxxxxxx
>
> Patches
> -------
> IIS Lockdown Tool
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
> utions/security/tools/locktool.asp
>
> Microsoft Security Bulletin MS01-020
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/MS01-020.asp
>
> Microsoft Security Bulletin MS01-026
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/MS01-026.asp
>
> Microsoft Security Bulletin MS01-033
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/MS01-033.asp
>
> Microsoft Security Bulletin MS00-057
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/ms00-057.asp
>
> Microsoft Security Bulletin MS00-078
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/ms00-078.asp
>
> Attack Data
> -----------
> Examination of the source of the worm reveals the following attack
> strings
> used to exploit IIS Web servers.
>
> '/scripts/..%255c..'
> '/_vti_bin/..%255c../..%255c../..%255c..'
> '/_mem_bin/..%255c../..%255c../..%255c..'
> '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
> '/scripts/..%c1%1c..'
> '/scripts/..%c0%2f..'
> '/scripts/..%c0%af..'
> '/scripts/..%c1%9c..'
> '/scripts/..%%35%63..'
> '/scripts/..%%35c..'
> '/scripts/..%25%35%63..'
> '/scripts/..%252f..'
>
> To those strings are added /winnt/system32/cmd.exe?/c+dir
>
> Other attacks include:
>
> '/scripts/root.exe?/c+dir'
> '/MSADC/root.exe?/c+dir'
>
>
> Jensenne Roculan
> SecurityFocus - http://www.securityfocus.com
> ARIS - http://aris.securityfocus.com
> (403) 213-3939 ext. 229
>
>
> ------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
===========================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara
Zagora

===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora