Coba yang ini
Kelihatannya virus/worm semakin canggih, termasuk yang baru ini.
Setelah code red, code blue sekarang sudah ada code Rainbow (NIMDA).
Keterangan lebih detil bisa lihat di bawah ini atau bisa
juga dicari ke site vendor antivirus.
Penyebarannya :
-as an email attachment
-a web defacement download
-through exploitation of known IIS vulnerabilities
Berakibat pada mesin-mesin :
-Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users
yang menjalankan software Internet Explorer, Outlook Express, IIS
Pengaruh yang dapat ditimbulkan selama penyebarannya antara lain
-penurunan network performance
-utilisasi bandwidth menjadi tinggi
-mail server akan sibuk
Saran-saran :
-bila memungkinkan, lakukan filter untuk file readme.exe di mail
server Anda
-bila memungkinkan, lakukan filter (deny) pada proxy server
atau pada router untuk akses web dengan pattern
'/scripts/..%255c..'
'/_vti_bin/..%255c../..%255c../..%255c..'
'/_mem_bin/..%255c../..%255c../..%255c..'
'/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
'/scripts/..%c1%1c..'
'/scripts/..%c0%2f..'
'/scripts/..%c0%af..'
'/scripts/..%c1%9c..'
'/scripts/..%%35%63..'
'/scripts/..%%35c..'
'/scripts/..%25%35%63..'
'/scripts/..%252f..'
'/scripts/root.exe?/c+dir'
'/MSADC/root.exe?/c+dir'
-jangan lupa patch/update software-software microsoft yang
Anda gunakan
-Mohon usulan dan saran-saran atau masukan dari rekan-rekan juga
untuk menanggulangi virus ini.
Selamat berjuang melawan virus/worm.
Salam,
~potat
------- Forwarded Message Follows -------
Date sent: Tue, 18 Sep 2001 18:49:43 -0600 (MDT)
From: Dave Ahmad <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Nimda Worm
[ Double-click this line for list subscription options ]
Hey,
We have been receiving reports of a new worm from a large number of users.
Instead of deluging BUGTRAQ with traffic more appropriate for INCIDENTS,
we are posting a summary of the worm and the vulnerabilities it exploits:
A new worm named W32/Nimda-A (known aliases are Nimda,
Minda, Concept V, Code Rainbow) began to proliferate the morning of
September 18, 2001 on an extremely large scale that targets the Microsoft
Windows platform. It attempts to spread via three mechanisms; as an email
attachment, a web defacement download, and through exploitation of known
IIS vulnerabilities. Collateral damage include network performance
degradation due to high consumption of bandwidth during the propagation
process. There have been reports of Apache Servers being inadvertantly
affected by Nimda by being subjected to a denial of service condition (the
configuration of these servers is not known).
This worm takes advantage of multiple vulnerabilities
and backdoors. The worm spreads via e-mail and the web. Through the
e-mail vector, the worm arrives in the users inbox as a message with a
variable subject line. The e-mail contains an attachment named
'readme.exe'. This worm formats the e-mail in such a way as to take
advantage of a hole in older versions of Internet Explorer. Outlook
mail clients use the Internet Explorer libraries to display HTML e-mail,
so by extension Outlook and Outlook Express are vulnerable as well, if
Internet Explorer is vulnerable. The hole allows the readme.exe program
to execute automatically as soon as the e-mail is previewed or read.
Once it has infected a new victim, it mails copies of itself to other
potential victims, and begins scanning for vulnerable IIS Web servers.
When scanning for vulnerable IIS servers, it attempts to exploit the
Unicode hole (bid 1806) and the escaped characters decoding command
execution vulnerability (bid 2708). It also attempts to access
the system via the root.exe backdoor left by Code Red II. Once it
finds a vulnerable IIS server, it installs itself in such a way that
visitors to the now-infected web site will be sent a copy of a .eml
file, which is a copy of the e-mail that gets sent. If the victim is
using Internet Explorer as their browser, and they are vulnerable to the
hole, they will execute the readme.exe attachment in the same way as if
they had viewed an infected e-mail message.
Attack Data:
Examination of the worm reveals the following attack strings
used to exploit IIS Web servers.
'/scripts/..%255c..'
'/_vti_bin/..%255c../..%255c../..%255c..'
'/_mem_bin/..%255c../..%255c../..%255c..'
'/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
'/scripts/..%c1%1c..'
'/scripts/..%c0%2f..'
'/scripts/..%c0%af..'
'/scripts/..%c1%9c..'
'/scripts/..%%35%63..'
'/scripts/..%%35c..'
'/scripts/..%25%35%63..'
'/scripts/..%252f..'
To those strings are added /winnt/system32/cmd.exe?/c+dir
Other attacks include:
'/scripts/root.exe?/c+dir'
'/MSADC/root.exe?/c+dir'
It is believed that all of the vulnerabilities exploited by this worm are
known.
The links below provide fix information. Administrators and users are
advised to apply patches as soon as possible. If further analysis
concludes that other vulnerabilities are involved, updated information
will be posted to the list.
See:
Bugtraq ID: 2524 / CVE ID: CAN-2001-0154
Microsoft Security Bulletin MS01-020
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-020.asp
VulDB: http://www.securityfocus.com/bid/2524
Bugtraq ID: 2708 / CVE ID: CAN-2001-0333
Microsoft Security Bulletin MS01-026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-026.asp
VulDB: http://www.securityfocus.com/bid/2708
Bugtraq ID: 1806 / CVE ID: CVE-2000-0884
Microsoft Security Bulletin MS00-078
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS00-078.asp
http://www.securityfocus.com/bid/1806
Microsoft IIS Lockdown Tool:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/tools/lockto
ol.asp
References:
Symantec W32.Nimda.A@mm
http:[EMAIL PROTECTED]
McAfee W32/Nimda@MM
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
Sophos W32/Nimda-A
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
For discussion of infection or attack attempts, subscribe to the INCIDENTS
mailing list. For discussion of the worm itself and others, FORENSICS and
FOCUS-VIRUS are more appropriate than BUGTRAQ.
---
Dave Ahmad
Security Focus
www.securityfocus.com
------- Forwarded Message Follows -------
Date sent: Wed, 19 Sep 2001 02:07:41 +0100
Send reply to: Windows NTBugtraq Mailing List
<[EMAIL PROTECTED]>
From: Toby Henderson <[EMAIL PROTECTED]>
Subject: Full description from f-secure
To: [EMAIL PROTECTED]
Taken from the F-secure web site
http://www.f-secure.com/v-descs/nimda.shtml
NAME:Nimda
ALIAS:W32/Nimda.A@mm
ALIAS:W32/Nimda@mm, I-Worm.Nimda
SIZE:57344
This worm was found on September 18th, 2001. It quickly spread around the
world.
Nimda is a complex virus with a mass mailing worm component which spreads
itself in attachments named README.EXE. If affects Windows 95, Windows 98,
Windows Me, Windows NT 4 and Windows 2000 users.
Nimda is the first worm to modify existing web sites to start offering
infected files for download. Also it is the first worm to use normal end
user machines to scan for vulnerable web sites. This technique enables Nimda
to easily reach intranet web sites located behind firewalls - something
worms such as Code Red couldn't directly do.
Nimda uses the Unicode exploit to infect IIS web servers. This hole can be
closed with a Microsoft patch, downloadable from:
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
TECHNICAL DETAILS
Nimda is a complex mass-mailer, network worm and virus. It is a 57kb PE DLL
file with an EXE extension.
When run the worm first checks the name of the file it was run from. If the
name of worm's file is ADMIN.DLL, the worm creates a mutex with
'fsdhqherwqi2001' name, copies itself as MMC.EXE into \Windows\ directory
and starts this file with '-qusery9bnow' command line. If the worm is
started from README.EXE file (or a file that has more than 5 symbols in its
name and EXE extension) the worm copies itself to temporary folder with a
random name and runs itself there with '-dontrunold' command line option.
If the worm is run for the first time (as README.EXE) it loads itself as a
library, looks for some resource there and checks its size. If the resource
size is less than 100, the worm unloads itself, otherwise the worm checks if
it was launched from a hard drive and deletes its file in case it was
launched from other type of media. If the worm's file that is delete is
locked, the worm creates WININIT.INI file that will delete the worm's file
on next Windows startup. If the worm was launched from a hard drive, it
checks one of its resources, extracts it to a file and launches it. Checking
the resource size is done to be able to detect if a worm runs from and
infected EXE file. In this case the original executable part is extracted
and run by the worm to disguise its presence.
Then the worm gets current time and generates a random number. After
performing multiplication and division with this number the worm checks the
result. If a result is bigger than worm's counter, the worm starts to search
and delete README*.EXE files in temporary folder.
The worm tries to create the
[SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces] key in the
Registry. It also queries 'NameServer' value from
[System\CurrentControlSet\Services\VxD\MSTCP] key. After that the worm
updates its resources and deletes and re-creates its file. If the file is
locked, the worm creates WININIT.INI file that will delete the previously
locked file on next Windows startup.
After that the worm prepares its MIME-encoded copy by extrating a
pre-defined multi-partite message from its body and appending its
MIME-encoded copy to it. The file with a random name is created in temporary
folder.
The worm looks for EXPLORER process, opens it and assigns its process as
remote thread of Explorer. Then the worm gets API creates a mutex with
'fsdhqherwqi2001' name, startups Winsock services, gets an infected computer
(host) info and sleeps for some time. When resumed, the worm checks what
platform it is running. If it is running on NT-based system, it compacts its
memory blocks to occupy less space in memory and copies itself as LOAD32.EXE
to Windows system directory. Then it modifies SYSTEM.INI file by adding the
following string after SHELL= variable in [Boot] section:
explorer.exe load.exe -dontrunold
This will start the worm's copy every time Windows starts. The worm also
copies itself as RICHED32.DLL file to system folder and sets hidden and
system attributes to this file as well as to LOAD.EXE file. Then the worm
enumerates shared network resources and scarts to recursively scan files on
remote systems. If the worm finds an EXE file on a remote system, it reads
the file, deletes it and then writes a new file where the worm body is
placed first and the original EXE file is present as a resource. Later when
this affected file will be run, the worm will extract the EXE file resource
and run it. The worm checks the file name for 'WinZip32.exe' and doesn't
affect this file if it is found.
When searching for files in remote systems the worm collects names of DOC
files and then copies its file to folders where DOC files are located with
RICHED32.DLL name. The copied file has system and hidden attributes. This is
done to increase the chances of worm activation on remote systems as
Windows' original RICHED32.DLL component is used to open OLE files. But
instead the worm's RICHED32.DLL file will be launched as Windows first
checks current directory for needed DLLs.
Also when the worm browsing the remote computers' directories it creates
EML and .NWS (rarely) files that have the names of document files that the
worm could find on a remote system. These .EML and .NWS files are worm's
multi-partite messages with a worm MIME-encoded in them. When scanning the
worm can also delete the .EML and .NWS files it previously created.
The worm adjusts the properties of Windows Explorer, it accesses
[Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] key and
adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt' keys. This affects
Windows' (especially ME and 2000) ability to show hidden files - worm's
files will not be seen in Explorer any more.
After that the worm adds a 'guest' account to infected system account list,
activates this account, adds it to 'Administrator' and 'Guests' groups and
shares C:\ drive with full access priviledges. The worm also deletes all
subkeys from
[SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security] key to
disable sharing security.
The worm accesses [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key
reads subkeys from there and affects all files listed in the subkeys the
same way it does affect remote EXE files (see above). The worm doesn't only
infect WinZip32.exe file. Also the worm reads user's personal folders from
[Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] key and
infects files in these folders as well.
Finally the worm starts to search local hard drives for HTML, .ASP, and .HTM
files and also for files with 'DEFAULT', 'INDEX', 'MAIN' and 'README' words
in their filenames and if such files are found, the worm creates README.EML
file (which is the multi-partite message with MIME-encoded worm) in the same
directory and adds a small JavaScript code to the end of found files. That
JavaScript code would open README.EML file when the infected HTML file is
loaded by a web browser. As a result the MIME-encoded wor m will get
activated because of a security hole and a system will get infected. It
should be noted that the worm will not always do the above described
operation, it depends on a random number the worm generates prior to this
action.
The worm's file runs from a minimized window when downloaded from an
infected webserver. This technique affects users who are browsing the web
with Internet Explorer 5.0 or 5.01.
E-Mail spreading:
The worm searches trough all the '.htm' and '.html' file in the Temporary
Internet Files folder for e-mail addresses. It reads trough user's inbox and
collects the sender addresses. When the address list is ready it uses it's
own SMTP engine to send the infected messages.
IIS spreading:
The worm uses backdoors on IIS servers such as the one CodeRed II installs.
It scans random IP addresses for these backdoors. When a host is found to
have one the worm instructs the machine to download the worm code
(Admin.dll) from the host used for scanning. After this it executes the worm
on the target machine this way infecting it.
The worm has a copyright text string that is never displayed:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
It should be said that the worm has bugs that cause crashes or inability to
spread itself in certain conditions.
F-Secure Anti-Virus detects the worm with updates released at September
18th, 2001 19:20 EET.
[Analysis: Katrin Tocheva, Gergely Erdelyi, Alexey Podrezov, Sami Rautiainen
and Mikko Hypponen; F-Secure Corp.; September 18th, 2001]
Good luck
Toby
Toby Henderson
Technology Manager
Perfect Information Ltd
Michael House
35 Chiswell Street
London, EC1Y 4SE
Tel: +44 (0)20 7892 4294
Fax: +44 (0)20 7892 4201
"Irfan" <[EMAIL PROTECTED]> on 09/20/2001 03:50:04 PM
Please respond to [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: (bcc: Henry Yuluis/TPJ)
Subject: Re: [GUNADARMA] virus eml ... help ...
Coba cari Info Di www.antivirus.com , dan virus itu adalah NIMDA.A / Pakai
McAffe data 4161.
Selamat mencoba...
----- Original Message -----
From: "adicom" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 20, 2001 12:28 PM
Subject: [GUNADARMA] virus eml ... help ...
> rekan2 ...
>
> hari ini komputer2 di kantor saya terserang virus aneh. virus tsb
> meninggalkan sebuah file ber-extension "eml" (e-mail message ?) di
*setiap*
> subdirectory. jadi, pasti ada satu file eml, bahkan di desktop pun ada.
>
> jika file eml tsb dibuka, akan tampil e-mail kosong, tapi ada
attachment-nya
> yaitu readme.exe (59kb).
>
> anehnya, virus ini cepat sekali menyebarnya, tanpa bisa dideteksi.
>
> mohon bantuannya dong ...
>
>
> adicom ~;)
>
> __________________________________________________
> Terrorist Attacks on U.S. - How can you help?
> Donate cash, emergency relief information
> http://dailynews.yahoo.com/fc/US/Emergency_Information/
>
> * Gunadarma Mailing List -----------------------------------------------
> * Archives : http://milis-archives.gunadarma.ac.id
> * Langganan : Kirim Email kosong ke [EMAIL PROTECTED]
> * Berhenti : Kirim Email kosong ke [EMAIL PROTECTED]
> * Administrator: [EMAIL PROTECTED]
>
>
* Gunadarma Mailing List -----------------------------------------------
* Archives : http://milis-archives.gunadarma.ac.id
* Langganan : Kirim Email kosong ke [EMAIL PROTECTED]
* Berhenti : Kirim Email kosong ke [EMAIL PROTECTED]
* Administrator: [EMAIL PROTECTED]
* Gunadarma Mailing List -----------------------------------------------
* Archives : http://milis-archives.gunadarma.ac.id
* Langganan : Kirim Email kosong ke [EMAIL PROTECTED]
* Berhenti : Kirim Email kosong ke [EMAIL PROTECTED]
* Administrator: [EMAIL PROTECTED]
