Re: lug-bg: nov opasen virus Nimda

[i.kolemanov@xxxxxxxx (ISM Kolemanov, Ivan)]

dokolkoto si cheta loga:
ravmd[7437]: Last update: Tue Sep 18 16:43:47 2001
taka che ako crona ti puska ravudate v 20h i 12.30h
vsichko e nared

pozdravi,
ivan kolemanov

-----Ursprungliche Nachricht-----
Von: Teodor Georgiev [mailto:teodor@xxxxxxxxxxxxxxx]
Gesendet: Mittwoch, 19. September 2001 14:49
An: lug-bg@xxxxxxxxxxxxxxxxxx
Betreff: Re: lug-bg: nov opasen virus Nimda

e da, dneska.
sled kato vsichki se izpotrushkaha...

----- Original Message -----
From: "Hristo Genkov" <hristo@xxxxxxxxxxxxxxxx>
To: <lug-bg@xxxxxxxxxxxxxxxxxx>
Sent: Wednesday, September 19, 2001 1:22 PM
Subject: Re: lug-bg: nov opasen virus Nimda

> Rav dnes sa go vkarali v bazata si. I si go razpoznava chudesno;)
>
> On Wednesday 19 September 2001 13:50, you wrote:
> > Vchera go poluchih. Svalih update-a na Norton i pak ne go razpozna
kato
> > virus.
> > Takc he umnata.
> >
> > Yavor Atanasov
> >
> > ----- Original Message -----
> > From: "Boyan Krosnov" <bkrosnov@xxxxxxxx>
> > To: <lug-bg@xxxxxxxxxxxxxxxxxx>
> > Sent: Wednesday, September 19, 2001 1:37 PM
> > Subject: lug-bg: nov opasen virus Nimda
> >
> > > za kojto oshte ne e chul
> > >
> > > -----Original Message-----
> > > From: Jensenne Roculan [mailto:jroculan@xxxxxxxxxxxxxxxxx]
> > > Sent: Tuesday, September 18, 2001 9:09 PM
> > > To: incidents@xxxxxxxxxxxxxxxxx
> > > Cc: forensics@xxxxxxxxxxxxxxxxx; focus-ids@xxxxxxxxxxxxxxxxx
> > > Subject: Nimda Worm Alert
> > >
> > >
> > > The PDF version of this alert will be posted on ARIS analyzer and
> > > predictor shortly (http://aris.securityfocus.com,
> > > https://aris.securityfocus.com/predictor)
> > >
> > > Incident Analysis Alert
> > > Version 1
> > > September 18, 2001, 18:00 UDT
> > >
> > > Executive Summary
> > > -----------------
> > >
> > > A new worm named W32/Nimda-A (known aliases are Nimda, Minda,
Concept
> > > Virus, Code Rainbow) began to proliferate the morning of September
18,
> > > 2001 on an extremely large scale.  It utilizes multiple IIS
> > > vulnerabilities to propagate via the web, and Outlook and Outlook
> > > Express
> > > vulnerabilities to distribute itself through email.  It spreads
through
> > > three different means; as an email attachment, a web defacement
> > > download,
> > > and by directly targeting machines by exploiting known IIS
> > > vulnerabilities
> > > such as the ones exploited by Code Red and Code Blue.  There has
been
> > > one
> > > report thus far of an Apache Server crashing due to Nimda
terminating
> > > httpd processes.  No further corroboration has been made that this
worm
> > > may have in the inadvertent affect of creating a denial of service
> > > condition on Apache Servers.  Multiple sources have confirmed that
this
> > > worm consumes a large amount of bandwidth and impaired performance
on
> > > web
> > > servers is a result.  It should be noted that this worm began to
> > > proliferate almost exactly a week since the terrorist activities
began
> > > to
> > > take place in the United States.
> > >
> > > Currently, anti-virus software does not detect this worm due to
the
> > > recent
> > > nature of its proliferation.
> > >
> > > The Nimda Worm exploits the following vulnerabilities:
> > >
> > > Microsoft IIS 4.0/5.0 File Permission Canonicalization
Vulnerability
> > > http://www.securityfocus.com/bid/1565
> > >
> > > Microsoft IIS/PWS Escaped Characters Decoding Command Execution
> > > Vulnerability
> > > http://www.securityfocus.com/bid/1806
> > >
> > > Microsoft IE MIME Header Attachment Execution Vulnerability
> > > http://www.securityfocus.com/bid/2524
> > >
> > > Microsoft IIS and PWS Extended Unicode Directory Traversal
Vulnerability
> > > http://www.securityfocus.com/bid/2708
> > >
> > > Microsoft Index Server and Indexing Service ISAPI Extension Buffer
> > > Overflow Vulnerability
> > > http://www.securityfocus.com/bid/2880
> > >
> > > Action Items
> > > ------------
> > > Apply the appropriate patches listed in the 'Patches' section
below.
In
> > > addition, any IIS servers still vulnerable to the Unicode hole, or
that
> > > have the root.exe backdoor present should be taken off-line until
they
> > > can
> > > be rebuilt.
> > >
> > > Associated Vulnerability:
> > > Microsoft IIS 4.0/5.0 File Permission Canonicalization
Vulnerability
> > > Microsoft IIS/PWS Escaped Characters Decoding Command Execution
> > > Vulnerability
> > > Microsoft IE MIME Header Attachment Execution Vulnerability
> > > Microsoft IIS and PWS Extended Unicode Directory Traversal
Vulnerability
> > > Microsoft Index Server and Indexing Service ISAPI Extension Buffer
> > > Overflow Vulnerability
> > >
> > > Associated Bugtraq ID: 1565, 1806, 2524, 2708, 2880
> > >
> > > Urgency: High
> > >
> > > Ease of Exploit: Automatic
> > >
> > > Associated Operating Systems: Microsoft Windows NT 4.0, Windows
2000
> > >
> > > Technical Overview
> > > ------------------
> > > This worm takes advantage of two vulnerabilities, and one
backdoor.
The
> > > worm spreads via e-mail and the web.  For the e-mail vector, it
arrives
> > > in
> > > the user's inbox as a message with a variable subject line.  In
the
> > > e-mail, there is an attachment named readme.exe.  This worm
formats
the
> > > e-mail in such a way as to take advantage of a hole in older
versions
of
> > > Internet Explorer.  Outlook mail clients use the Internet Explorer
> > > libraries to display HTML e-mail, so by extension Outlook and
Outlook
> > > Express are vulnerable as well, if Internet Explorer is
vulnerable.
The
> > > hole allows the readme.exe program to execute automatically as
soon as
> > > the
> > > e-mail is previewed or read.
> > >
> > > Once it has infected a new victim, it mails copies of itself to
other
> > > potential victims, and begins scanning for vulnerable IIS Web
servers.
> > > When scanning for vulnerable IIS servers, it uses both the Unicode
hole
> > > as
> > > well as trying the root.exe backdoor left by Code Red II.  Once it
finds
> > > a
> > > vulnerable IIS server, it installs itself in such a way that
visitors
to
> > > the now-infected web site will be sent a copy of a .eml file,
which is
a
> > > copy of the e-mail that gets sent.  If the victim is using
Internet
> > > Explorer as their browser, and they are vulnerable to the hole,
they
> > > will
> > > execute the readme.exe attachment in the same way as if they had
viewed
> > > an
> > > infected e-mail message.
> > >
> > > Corroboration
> > > -------------
> > > Multiple Anti-Virus vendors have released an alert on this worm:
> > >
> > > McAfee
> > > http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
> > >
> > > Sophos
> > > http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
> > >
> > >
> > > Symantec
> > > http://www.symantec.com/avcenter/venc/data/w32.nimda.a@xxxxxxx
> > >
> > > Patches
> > > -------
> > > IIS Lockdown Tool
> > >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
> > > utions/security/tools/locktool.asp
> > >
> > > Microsoft Security Bulletin MS01-020
> > >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > > ity/bulletin/MS01-020.asp
> > >
> > > Microsoft Security Bulletin MS01-026
> > >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > > ity/bulletin/MS01-026.asp
> > >
> > > Microsoft Security Bulletin MS01-033
> > >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > > ity/bulletin/MS01-033.asp
> > >
> > > Microsoft Security Bulletin MS00-057
> > >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > > ity/bulletin/ms00-057.asp
> > >
> > > Microsoft Security Bulletin MS00-078
> > >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > > ity/bulletin/ms00-078.asp
> > >
> > > Attack Data
> > > -----------
> > > Examination of the source of the worm reveals the following attack
> > > strings
> > > used to exploit IIS Web servers.
> > >
> > > '/scripts/..%255c..'
> > > '/_vti_bin/..%255c../..%255c../..%255c..'
> > > '/_mem_bin/..%255c../..%255c../..%255c..'
> > > '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
> > > '/scripts/..%c1%1c..'
> > > '/scripts/..%c0%2f..'
> > > '/scripts/..%c0%af..'
> > > '/scripts/..%c1%9c..'
> > > '/scripts/..%%35%63..'
> > > '/scripts/..%%35c..'
> > > '/scripts/..%25%35%63..'
> > > '/scripts/..%252f..'
> > >
> > > To those strings are added /winnt/system32/cmd.exe?/c+dir
> > >
> > > Other attacks include:
> > >
> > > '/scripts/root.exe?/c+dir'
> > > '/MSADC/root.exe?/c+dir'
> > >
> > >
> > > Jensenne Roculan
> > > SecurityFocus - http://www.securityfocus.com
> > > ARIS - http://aris.securityfocus.com
> > > (403) 213-3939 ext. 229
> > >
> > >
> >
>
------------------------------------------------------------------------
> > > ----
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> >
> >
========================================================================
===
> >
> > > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> > > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. -
Stara
> >
> > Zagora
> >
> >
========================================================================
===
> > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara
Zagora
>
========================================================================
===
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara
Zagora
>

========================================================================
===
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara
Zagora
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora