I thought I would share what we found out about this new virus....
Tony Gruen
sfnetworks
-------------------------------------------
Taken from the F-secure web site
http://www.f-secure.com/v-descs/nimda.shtml
NAME:Nimda
ALIAS:W32/Nimda.A@mm
ALIAS:W32/Nimda@mm, I-Worm.Nimda
SIZE:57344
This worm was found on September 18th, 2001. It quickly spread around
the world. Nimda is a complex virus with a mass mailing worm component
which spreads itself in attachments named README.EXE. If affects Windows
95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users. Nimda
is the first worm to modify existing web sites to start offering
infected files for download. Also it is the first worm to use normal end
user machines to scan for vulnerable web sites. This technique enables
Nimda to easily reach intranet web sites located behind firewalls -
something worms such as Code Red couldn't directly do. Nimda uses the
Unicode exploit to infect IIS web servers. This hole can be closed with
a Microsoft patch, downloadable from:
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
TECHNICAL DETAILS
Nimda is a complex mass-mailer, network worm and virus. It is a 57kb PE
DLL file with an EXE extension. When run the worm first checks the name
of the file it was run from. If the name of worm's file is ADMIN.DLL,
the worm creates a mutex with 'fsdhqherwqi2001' name, copies itself as
MMC.EXE into \Windows\ directory and starts this file with
'-qusery9bnow' command line. If the worm is started from README.EXE file
(or a file that has more than 5 symbols in its name and EXE extension)
the worm copies itself to temporary folder with a random name and runs
itself there with '-dontrunold' command line option. If the worm is run
for the first time (as README.EXE) it loads itself as a library, looks
for some resource there and checks its size. If the resource size is
less than 100, the worm unloads itself, otherwise the worm checks if it
was launched from a hard drive and deletes its file in case it was
launched from other type of media. If the worm's file that is delete is
locked, the worm creates WININIT.INI file that will delete the worm's
file on next Windows startup. If the worm was launched from a hard
drive, it checks one of its resources, extracts it to a file and
launches it. Checking the resource size is done to be able to detect if
a worm runs from and infected EXE file. In this case the original
executable part is extracted and run by the worm to disguise its
presence. Then the worm gets current time and generates a random number.
After performing multiplication and division with this number the worm
checks the result. If a result is bigger than worm's counter, the worm
starts to search and delete README*.EXE files in temporary folder. The
worm tries to create the
[SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces] key in
the Registry. It also queries 'NameServer' value from
[System\CurrentControlSet\Services\VxD\MSTCP] key. After that the worm
updates its resources and deletes and re-creates its file. If the file
is locked, the worm creates WININIT.INI file that will delete the
previously locked file on next Windows startup. After that the worm
prepares its MIME-encoded copy by extrating a pre-defined multi-partite
message from its body and appending its MIME-encoded copy to it. The
file with a random name is created in temporary folder. The worm looks
for EXPLORER process, opens it and assigns its process as remote thread
of Explorer. Then the worm gets API creates a mutex with
'fsdhqherwqi2001' name, startups Winsock services, gets an infected
computer
(host) info and sleeps for some time. When resumed, the worm checks what
platform it is running. If it is running on NT-based system, it compacts
its memory blocks to occupy less space in memory and copies itself as
LOAD32.EXE to Windows system directory. Then it modifies SYSTEM.INI file
by adding the following string after SHELL= variable in [Boot] section:
explorer.exe load.exe -dontrunold
This will start the worm's copy every time Windows starts. The worm also
copies itself as RICHED32.DLL file to system folder and sets hidden and
system attributes to this file as well as to LOAD.EXE file. Then the
worm enumerates shared network resources and scarts to recursively scan
files on remote systems. If the worm finds an EXE file on a remote
system, it reads the file, deletes it and then writes a new file where
the worm body is placed first and the original EXE file is present as a
resource. Later when this affected file will be run, the worm will
extract the EXE file resource and run it. The worm checks the file name
for 'WinZip32.exe' and doesn't affect this file if it is found. When
searching for files in remote systems the worm collects names of DOC
files and then copies its file to folders where DOC files are located
with RICHED32.DLL name. The copied file has system and hidden
attributes. This is done to increase the chances of worm activation on
remote systems as Windows' original RICHED32.DLL component is used to
open OLE files. But instead the worm's RICHED32.DLL file will be
launched as Windows first checks current directory for needed DLLs. Also
when the worm browsing the remote computers' directories it creates .EML
and .NWS (rarely) files that have the names of document files that the
worm could find on a remote system. These .EML and .NWS files are worm's
multi-partite messages with a worm MIME-encoded in them. When scanning
the worm can also delete the .EML and .NWS files it previously created.
The worm adjusts the properties of Windows Explorer, it accesses
[Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] key and
adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt' keys. This affects
Windows' (especially ME and 2000) ability to show hidden files - worm's
files will not be seen in Explorer any more. After that the worm adds a
'guest' account to infected system account list, activates this account,
adds it to 'Administrator' and 'Guests' groups and shares C:\ drive with
full access priviledges. The worm also deletes all subkeys from
[SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security] key to
disable sharing security. The worm accesses
[SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads subkeys
from there and affects all files listed in the subkeys the same way it
does affect remote EXE files (see above). The worm doesn't only infect
WinZip32.exe file. Also the worm reads user's personal folders from
[Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] key
and infects files in these folders as well. Finally the worm starts to
search local hard drives for HTML, .ASP, and .HTM files and also for
files with 'DEFAULT', 'INDEX', 'MAIN' and 'README' words in their
filenames and if such files are found, the worm creates README.EML file
(which is the multi-partite message with MIME-encoded worm) in the same
directory and adds a small JavaScript code to the end of found files.
That JavaScript code would open README.EML file when the infected HTML
file is loaded by a web browser. As a result the MIME-encoded wor m will
get activated because of a security hole and a system will get infected.
It should be noted that the worm will not always do the above described
operation, it depends on a random number the worm generates prior to
this action. The worm's file runs from a minimized window when
downloaded from an infected webserver. This technique affects users who
are browsing the web with Internet Explorer 5.0 or 5.01. E-Mail
spreading: The worm searches trough all the '.htm' and '.html' file in
the Temporary Internet Files folder for e-mail addresses. It reads
trough user's inbox and collects the sender addresses. When the address
list is ready it uses it's own SMTP engine to send the infected
messages. IIS spreading: The worm uses backdoors on IIS servers such as
the one CodeRed II installs. It scans random IP addresses for these
backdoors. When a host is found to have one the worm instructs the
machine to download the worm code
(Admin.dll) from the host used for scanning. After this it executes the
worm on the target machine this way infecting it. The worm has a
copyright text string that is never displayed:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
It should be said that the worm has bugs that cause crashes or inability
to spread itself in certain conditions. F-Secure Anti-Virus detects the
worm with updates released at September 18th, 2001 19:20 EET.
[Analysis: Katrin Tocheva, Gergely Erdelyi, Alexey Podrezov, Sami
Rautiainen and Mikko Hypponen; F-Secure Corp.; September 18th, 2001]
Good luck
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
------------------------------------------------------------------------------
To unsubscribe, send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body or visit the list page at www.houseoffusion.com
