Re: lug-bg: nov opasen virus Nimda

[hristo@xxxxxxxxxxxxxxxx (Hristo Genkov)]

Rav dnes sa go vkarali v bazata si. I si go razpoznava chudesno;)

On Wednesday 19 September 2001 13:50, you wrote:
> Vchera go poluchih. Svalih update-a na Norton i pak ne go razpozna kato
> virus.
> Takc he umnata.
>
> Yavor Atanasov
>
> ----- Original Message -----
> From: "Boyan Krosnov" <bkrosnov@xxxxxxxx>
> To: <lug-bg@xxxxxxxxxxxxxxxxxx>
> Sent: Wednesday, September 19, 2001 1:37 PM
> Subject: lug-bg: nov opasen virus Nimda
>
> > za kojto oshte ne e chul
> >
> > -----Original Message-----
> > From: Jensenne Roculan [mailto:jroculan@xxxxxxxxxxxxxxxxx]
> > Sent: Tuesday, September 18, 2001 9:09 PM
> > To: incidents@xxxxxxxxxxxxxxxxx
> > Cc: forensics@xxxxxxxxxxxxxxxxx; focus-ids@xxxxxxxxxxxxxxxxx
> > Subject: Nimda Worm Alert
> >
> >
> > The PDF version of this alert will be posted on ARIS analyzer and
> > predictor shortly (http://aris.securityfocus.com,
> > https://aris.securityfocus.com/predictor)
> >
> > Incident Analysis Alert
> > Version 1
> > September 18, 2001, 18:00 UDT
> >
> > Executive Summary
> > -----------------
> >
> > A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept
> > Virus, Code Rainbow) began to proliferate the morning of September 18,
> > 2001 on an extremely large scale.  It utilizes multiple IIS
> > vulnerabilities to propagate via the web, and Outlook and Outlook
> > Express
> > vulnerabilities to distribute itself through email.  It spreads through
> > three different means; as an email attachment, a web defacement
> > download,
> > and by directly targeting machines by exploiting known IIS
> > vulnerabilities
> > such as the ones exploited by Code Red and Code Blue.  There has been
> > one
> > report thus far of an Apache Server crashing due to Nimda terminating
> > httpd processes.  No further corroboration has been made that this worm
> > may have in the inadvertent affect of creating a denial of service
> > condition on Apache Servers.  Multiple sources have confirmed that this
> > worm consumes a large amount of bandwidth and impaired performance on
> > web
> > servers is a result.  It should be noted that this worm began to
> > proliferate almost exactly a week since the terrorist activities began
> > to
> > take place in the United States.
> >
> > Currently, anti-virus software does not detect this worm due to the
> > recent
> > nature of its proliferation.
> >
> > The Nimda Worm exploits the following vulnerabilities:
> >
> > Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
> > http://www.securityfocus.com/bid/1565
> >
> > Microsoft IIS/PWS Escaped Characters Decoding Command Execution
> > Vulnerability
> > http://www.securityfocus.com/bid/1806
> >
> > Microsoft IE MIME Header Attachment Execution Vulnerability
> > http://www.securityfocus.com/bid/2524
> >
> > Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
> > http://www.securityfocus.com/bid/2708
> >
> > Microsoft Index Server and Indexing Service ISAPI Extension Buffer
> > Overflow Vulnerability
> > http://www.securityfocus.com/bid/2880
> >
> > Action Items
> > ------------
> > Apply the appropriate patches listed in the 'Patches' section below.  In
> > addition, any IIS servers still vulnerable to the Unicode hole, or that
> > have the root.exe backdoor present should be taken off-line until they
> > can
> > be rebuilt.
> >
> > Associated Vulnerability:
> > Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
> > Microsoft IIS/PWS Escaped Characters Decoding Command Execution
> > Vulnerability
> > Microsoft IE MIME Header Attachment Execution Vulnerability
> > Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
> > Microsoft Index Server and Indexing Service ISAPI Extension Buffer
> > Overflow Vulnerability
> >
> > Associated Bugtraq ID: 1565, 1806, 2524, 2708, 2880
> >
> > Urgency: High
> >
> > Ease of Exploit: Automatic
> >
> > Associated Operating Systems: Microsoft Windows NT 4.0, Windows 2000
> >
> > Technical Overview
> > ------------------
> > This worm takes advantage of two vulnerabilities, and one backdoor.  The
> > worm spreads via e-mail and the web.  For the e-mail vector, it arrives
> > in
> > the user's inbox as a message with a variable subject line.  In the
> > e-mail, there is an attachment named readme.exe.  This worm formats the
> > e-mail in such a way as to take advantage of a hole in older versions of
> > Internet Explorer.  Outlook mail clients use the Internet Explorer
> > libraries to display HTML e-mail, so by extension Outlook and Outlook
> > Express are vulnerable as well, if Internet Explorer is vulnerable.  The
> > hole allows the readme.exe program to execute automatically as soon as
> > the
> > e-mail is previewed or read.
> >
> > Once it has infected a new victim, it mails copies of itself to other
> > potential victims, and begins scanning for vulnerable IIS Web servers.
> > When scanning for vulnerable IIS servers, it uses both the Unicode hole
> > as
> > well as trying the root.exe backdoor left by Code Red II.  Once it finds
> > a
> > vulnerable IIS server, it installs itself in such a way that visitors to
> > the now-infected web site will be sent a copy of a .eml file, which is a
> > copy of the e-mail that gets sent.  If the victim is using Internet
> > Explorer as their browser, and they are vulnerable to the hole, they
> > will
> > execute the readme.exe attachment in the same way as if they had viewed
> > an
> > infected e-mail message.
> >
> > Corroboration
> > -------------
> > Multiple Anti-Virus vendors have released an alert on this worm:
> >
> > McAfee
> > http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
> >
> > Sophos
> > http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
> >
> >
> > Symantec
> > http://www.symantec.com/avcenter/venc/data/w32.nimda.a@xxxxxxx
> >
> > Patches
> > -------
> > IIS Lockdown Tool
> > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
> > utions/security/tools/locktool.asp
> >
> > Microsoft Security Bulletin MS01-020
> > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > ity/bulletin/MS01-020.asp
> >
> > Microsoft Security Bulletin MS01-026
> > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > ity/bulletin/MS01-026.asp
> >
> > Microsoft Security Bulletin MS01-033
> > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > ity/bulletin/MS01-033.asp
> >
> > Microsoft Security Bulletin MS00-057
> > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > ity/bulletin/ms00-057.asp
> >
> > Microsoft Security Bulletin MS00-078
> > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > ity/bulletin/ms00-078.asp
> >
> > Attack Data
> > -----------
> > Examination of the source of the worm reveals the following attack
> > strings
> > used to exploit IIS Web servers.
> >
> > '/scripts/..%255c..'
> > '/_vti_bin/..%255c../..%255c../..%255c..'
> > '/_mem_bin/..%255c../..%255c../..%255c..'
> > '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
> > '/scripts/..%c1%1c..'
> > '/scripts/..%c0%2f..'
> > '/scripts/..%c0%af..'
> > '/scripts/..%c1%9c..'
> > '/scripts/..%%35%63..'
> > '/scripts/..%%35c..'
> > '/scripts/..%25%35%63..'
> > '/scripts/..%252f..'
> >
> > To those strings are added /winnt/system32/cmd.exe?/c+dir
> >
> > Other attacks include:
> >
> > '/scripts/root.exe?/c+dir'
> > '/MSADC/root.exe?/c+dir'
> >
> >
> > Jensenne Roculan
> > SecurityFocus - http://www.securityfocus.com
> > ARIS - http://aris.securityfocus.com
> > (403) 213-3939 ext. 229
> >
> >
> > ------------------------------------------------------------------------
> > ----
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
> ===========================================================================
>
> > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara
>
> Zagora
>
> ===========================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora