Linux-Bulgaria.ORG
навигация

 

начало

пощенски списък

архив на групата

семинари ...

документи

как да ...

 

 

Предишно писмо Следващо писмо Предишно по тема Следващо по тема По Дата По тема (thread)

Re: lug-bg: nov opasen virus Nimda


  • Subject: Re: lug-bg: nov opasen virus Nimda
  • From: vasil_petrov@xxxxxx (vasil_petrov@xxxxxx)
  • Date: Wed, 19 Sep 2001 21:11:40 +0300



Are stiga s tiq bodzi4ki, kakvo mi puka za IIS :>
Da si patqt ot malak mek i klientite im. Boza users gorup mai mu e
mqstoto za toq komentar :>. 
On Wed, 19 Sep 2001 13:37:10 +0300
 "Boyan Krosnov" <bkrosnov@xxxxxxxx> wrote:
> za kojto oshte ne e chul
> 
> -----Original Message-----
> From: Jensenne Roculan [mailto:jroculan@xxxxxxxxxxxxxxxxx]
> Sent: Tuesday, September 18, 2001 9:09 PM
> To: incidents@xxxxxxxxxxxxxxxxx
> Cc: forensics@xxxxxxxxxxxxxxxxx; focus-ids@xxxxxxxxxxxxxxxxx
> Subject: Nimda Worm Alert
> 
> 
> The PDF version of this alert will be posted on ARIS analyzer and
> predictor shortly (http://aris.securityfocus.com,
> https://aris.securityfocus.com/predictor)
> 
> Incident Analysis Alert
> Version 1
> September 18, 2001, 18:00 UDT
> 
> Executive Summary
> -----------------
> 
> A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept
> Virus, Code Rainbow) began to proliferate the morning of September
> 18,
> 2001 on an extremely large scale.  It utilizes multiple IIS
> vulnerabilities to propagate via the web, and Outlook and Outlook
> Express
> vulnerabilities to distribute itself through email.  It spreads
> through
> three different means; as an email attachment, a web defacement
> download,
> and by directly targeting machines by exploiting known IIS
> vulnerabilities
> such as the ones exploited by Code Red and Code Blue.  There has been
> one
> report thus far of an Apache Server crashing due to Nimda terminating
> httpd processes.  No further corroboration has been made that this
> worm
> may have in the inadvertent affect of creating a denial of service
> condition on Apache Servers.  Multiple sources have confirmed that
> this
> worm consumes a large amount of bandwidth and impaired performance on
> web
> servers is a result.  It should be noted that this worm began to
> proliferate almost exactly a week since the terrorist activities
> began
> to
> take place in the United States.
> 
> Currently, anti-virus software does not detect this worm due to the
> recent
> nature of its proliferation.
> 
> The Nimda Worm exploits the following vulnerabilities:
> 
> Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
> http://www.securityfocus.com/bid/1565
> 
> Microsoft IIS/PWS Escaped Characters Decoding Command Execution
> Vulnerability
> http://www.securityfocus.com/bid/1806
> 
> Microsoft IE MIME Header Attachment Execution Vulnerability
> http://www.securityfocus.com/bid/2524
> 
> Microsoft IIS and PWS Extended Unicode Directory Traversal
> Vulnerability
> http://www.securityfocus.com/bid/2708
> 
> Microsoft Index Server and Indexing Service ISAPI Extension Buffer
> Overflow Vulnerability
> http://www.securityfocus.com/bid/2880
> 
> Action Items
> ------------
> Apply the appropriate patches listed in the 'Patches' section below.
> In
> addition, any IIS servers still vulnerable to the Unicode hole, or
> that
> have the root.exe backdoor present should be taken off-line until
> they
> can
> be rebuilt.
> 
> Associated Vulnerability:
> Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
> Microsoft IIS/PWS Escaped Characters Decoding Command Execution
> Vulnerability
> Microsoft IE MIME Header Attachment Execution Vulnerability
> Microsoft IIS and PWS Extended Unicode Directory Traversal
> Vulnerability
> Microsoft Index Server and Indexing Service ISAPI Extension Buffer
> Overflow Vulnerability
> 
> Associated Bugtraq ID:	1565, 1806, 2524, 2708, 2880
> 
> Urgency:	High
> 
> Ease of Exploit:	Automatic
> 
> Associated Operating Systems:	Microsoft Windows NT 4.0, Windows 2000
> 
> Technical Overview
> ------------------
> This worm takes advantage of two vulnerabilities, and one backdoor.
> The
> worm spreads via e-mail and the web.  For the e-mail vector, it
> arrives
> in
> the user's inbox as a message with a variable subject line.  In the
> e-mail, there is an attachment named readme.exe.  This worm formats
> the
> e-mail in such a way as to take advantage of a hole in older versions
> of
> Internet Explorer.  Outlook mail clients use the Internet Explorer
> libraries to display HTML e-mail, so by extension Outlook and Outlook
> Express are vulnerable as well, if Internet Explorer is vulnerable.
> The
> hole allows the readme.exe program to execute automatically as soon
> as
> the
> e-mail is previewed or read.
> 
> Once it has infected a new victim, it mails copies of itself to other
> potential victims, and begins scanning for vulnerable IIS Web
> servers.
> When scanning for vulnerable IIS servers, it uses both the Unicode
> hole
> as
> well as trying the root.exe backdoor left by Code Red II.  Once it
> finds
> a
> vulnerable IIS server, it installs itself in such a way that visitors
> to
> the now-infected web site will be sent a copy of a .eml file, which
> is a
> copy of the e-mail that gets sent.  If the victim is using Internet
> Explorer as their browser, and they are vulnerable to the hole, they
> will
> execute the readme.exe attachment in the same way as if they had
> viewed
> an
> infected e-mail message.
> 
> Corroboration
> -------------
> Multiple Anti-Virus vendors have released an alert on this worm:
> 
> McAfee
> http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
> 
> Sophos
> http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
> 
> 
> Symantec
> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@xxxxxxx
> 
> Patches
> -------
> IIS Lockdown Tool
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
> utions/security/tools/locktool.asp
> 
> Microsoft Security Bulletin MS01-020
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/MS01-020.asp
> 
> Microsoft Security Bulletin MS01-026
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/MS01-026.asp
> 
> Microsoft Security Bulletin MS01-033
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/MS01-033.asp
> 
> Microsoft Security Bulletin MS00-057
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/ms00-057.asp
> 
> Microsoft Security Bulletin MS00-078
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/bulletin/ms00-078.asp
> 
> Attack Data
> -----------
> Examination of the source of the worm reveals the following attack
> strings
> used to exploit IIS Web servers.
> 
> '/scripts/..%255c..'
> '/_vti_bin/..%255c../..%255c../..%255c..'
> '/_mem_bin/..%255c../..%255c../..%255c..'
> '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
> '/scripts/..%c1%1c..'
> '/scripts/..%c0%2f..'
> '/scripts/..%c0%af..'
> '/scripts/..%c1%9c..'
> '/scripts/..%%35%63..'
> '/scripts/..%%35c..'
> '/scripts/..%25%35%63..'
> '/scripts/..%252f..'
> 
> To those strings are added /winnt/system32/cmd.exe?/c+dir
> 
> Other attacks include:
> 
> '/scripts/root.exe?/c+dir'
> '/MSADC/root.exe?/c+dir'
> 
> 
> Jensenne Roculan
> SecurityFocus - http://www.securityfocus.com
> ARIS - http://aris.securityfocus.com
> (403) 213-3939 ext. 229
> 
> 
> ------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> ===========================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara
> Zagora

===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora



 

наши приятели

 

линукс за българи
http://linux-bg.org

FSA-BG
http://fsa-bg.org

OpenFest
http://openfest.org

FreeBSD BG
http://bg-freebsd.org

KDE-BG
http://kde.fsa-bg.org/

Gnome-BG
http://gnome.cult.bg/

проект OpenFMI
http://openfmi.net

NetField Forum
http://netField.ludost.net/forum/

 

 

Linux-Bulgaria.ORG

Mailing list messages are © Copyright their authors.