FYI:
F-Prot has already been updated for this today. Get the new fp-def.
Jerry
----- Original Message -----
From: "Terrence Koeman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 12:42 PM
Subject: [Declude.Virus] OT: Alert: New IIS Worm
> Offtopic
>
> >From NTBUGTRAQ:
>
> ------------------------
> There have been numerous reports of IIS attacks being generated by
> machines over a broad range of IP addresses. These "infected"
> machines are using a wide variety of attacks which attempt to exploit
> already known and patched vulnerabilities against IIS.
>
> It appears that the attacks can come both from email and from the
> network.
>
> A new worm, being called w32.nimda.amm, is being sent around. The
> attachment is called README.EXE and comes as a MIME-type of
> "audio/x-wav" together with some html parts. There appears to be no
> text in this message when it is displayed by Outlook when in
> Auto-Preview mode (always a good indication there's something not
> quite right with an email.)
>
> The network attacks against IIS boxes are a wide variety of attacks.
> Amongst them appear to be several attacks that assume the machine is
> compromised by Code Red II (looking for ROOT.EXE in the /scripts and
> /msadc directory, as well as an attempt to use the /c and /d virtual
> roots to get to CMD.EXE). Further, it attempts to exploit numerous
> other known IIS vulnerabilities.
>
> One thing to note is the attempt to execute TFTP.EXE to download a
> file called ADMIN.DLL from (presumably) some previously compromised
> box.
>
> Anyone who discovers a compromised machine (a machine with ADMIN.DLL
> in the /scripts directory), please forward me a copy of that .dll
> ASAP.
>
> Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
> the following;
>
> edit %systemroot/system32/drivers/etc/services.
>
> change the line;
>
> tftp 69/udp
>
> to;
>
> tftp 0/udp
>
> thereby disabling the TFTP client. W2K has TFTP.EXE protected by
> Windows File Protection so can't be removed.
>
> More information as it arises.
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> ------------------------
> Ok, whoa horsy, I've got lots of copies of ADMIN.DLL now thanks!
>
> Analysis is still on-going to determine precisely what the infecting
> files do (there are potentially two, ADMIN.DLL and README.EXE).
>
> Some people have said their boxes seem unstable. It could be because
> of numerous copies of TFTP.EXE in memory. At this point it might be
> best to disconnect any computer that appears unstable from the
> network, until such time as sufficient analysis has been performed to
> advise how best to bring the box back on-line.
>
> It is also possible for client machines to perform the attacks that
> we're seeing, if you have a way to filter outbound HTTP requests you
> should look for anything that contains "/scripts" or "tftp" in the
> URL and treat as suspicious.
>
> The internal threat by this one is no different (and maybe worse)
> than CRII. We've seen indications of WnetEnumResource calls as well
> as references to IPC$. There may be NetBIOS share activity associated
> with the worm, and if so, it will likely spread rapidly internally.
>
> More than likely you will see the biggest effect in terms of a DoS
> (from many source machines). This thing cares not whether you're an
> IIS box or not, it tries regardless. As this spreads the effects may
> become more severe (no, I'm not going to provide a quote on how
> severe). Make sure you're inbound (and preferably your outbound)
> router rules are restricted to only those protocols that must be
> present, and ideally to machine IP addresses that should have access.
>
> More as it becomes available.
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> ------------------------
> Numerous people have reported that on IIS servers infected with
> w32.nimda.amm, when visitors browse to their website the visitor is
> offered up README.EML, which in turn downloads README.EXE to the
> visitor.
>
> Please, check your IIS boxes now to see if you are infected. I've had
> reports of IIS servers with more than 10,000 .eml files present
> (mostly as a result of nimda).
>
> While we don't have any conclusive disinfecting procedures yet, any
> IIS box that has been infected definitely shouldn't be available to
> clients until we do.
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> ------------------------
>
>
> --
> Regards,
>
> Terrence Koeman
>
> Technical Director/Administrator
> MediaMonks B.V. (www.mediamonks.nl)
>
> Please quote all replies in correspondence.
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". You can E-mail
[EMAIL PROTECTED] for assistance. You can visit our web
site at http://www.declude.com .
