Am rugat un amic sa ma ajute cu o descriere buna a lu' wormu' ala - scuze de marimea textului. > > > > Din 18 sept. apar in logurile de la apache: > > > > "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 283 "-" "-" > > > > "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-" > > > > "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-" > > > > "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-" > > > > > > > > Cererile vin din afara, cu gramada in fiecare doua (2) secunde. > > > > Ce dreaq' de worm e asta? > > Se cheama "Win32/Nimda.A", si e super raspandit. > Daca la requesturile respective (exploit-uri de IIS) raspunzi cu > HTTP... 200 OK, trimite requesturi prin care suge cu TFTP virusul > din computerul sursa si il executa in al tau. > > Uite descrierea noastra: > > .topic IWorm_Nimda > I-Worm.Nimda > ------------ > This is the worm virus spreading via the Internet being attached to infected > emails, copying itself to shared directories over local network, as well as > attacking vulnerable IIS machines (remote Web sites) as well as infecting > local Web sites. > > The worm itself is Windows PE EXE file about 57Kb of length, written in > Microsoft C++. > > To run from infected message the worm uses security breach. The worm > README.EXE file then installs itself to the system, runs spreading routine and > payload. > > To run on victim machine while attacking IIS server the worm by using > so-called "Web Directory Traversal exploit" copies itself to victim machine > with ADMIN.DLL name, and activates it on there. > > The worm contains the "copyright" text string: > > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China > > > Installing > ---------- > The installation procedures are a bit different when worm is run from EXE file > (from email message, or from other infected EXE file), and when it is run from > ADMIN.DLL file (while infecting IIS server). > > While installing from ADMIN.DLL the worm copies itself to Windows directory > with the MMC.EXE name and spawns that file. > > Then (as well as while starting from infected EXE file) the worm infects the > system. It copies itself: > > 1. to Windows system directory with RICHED20.DLL (and overwrites original > Windows RICHED20.DLL file) > 2. to Windows system directory with LOAD.EXE name > > The last one is then registered in auto-run section in SYSTEM.INI file: > > [boot] > shell=explorer.exe load.exe -dontrunold > > 3. the worm also copies itself to Temporary directory with random MEP*.TMP > names, for example: > > mep01A2.TMP > mep1A0.TMP.exe > mepE002.TMP.exe > mepE003.TMP.exe > mepE004.TMP > > These EXE files have Hidden and System attributes, as well as LOAD.EXE file (see > above). > > > The worm then runs its spreading and payload routines. Depending on Windows > version the worm affects EXLORER.EXE process and may run its routines as > EXPLORER' background process (thread). > > > Spreading - EMail > ----------------- > To send infected messages the worm connects to host machine by using SMPT > protocol and sends its copies to victim addresses. > > To get victim email addresses the worm uses two ways: > > 1. scans *.HTM and *.HTML files and looks for email-like strings > > 2. by using MAPI connects to email boxes (in case installed Email system > supports MAPI) and gets email addresses from there. > > > The infected messages are of HTML format and have: > > Subject: empty or random > Body: empty > Attach: README.EXE > > Subjects are got from name of random selected file from folder: > > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal > > usually that's "My Documents", or random selected file on C: drive > > > To spread from infected messages the worm uses "IFRAME" trick. That is > vlunerability that is described at: > > Microsoft Security Bulletin (MS01-020): Incorrect MIME Header Can Cause IE to > Execute E-mail Attachment > http://www.microsoft.com/technet/security/bulletin/MS01-020.asp > > Download patch: > http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp > > === CUT from FAQ === > > What causes the vulnerability? > > If an HTML mail contains an executable attachment whose MIME type is > incorrectly given as one of several unusual types, a flaw in IE will cause the > attachment to be executed without displaying a warning dialogue. > > What does the patch do? > > The patch eliminates the vulnerability by correcting the table of MIME types > and their associated actions in IE. This has the effect of preventing emails > from being able to automatically launch executable attachments. > > === END === > > > Spreading - infecting EXE files > ------------------------------- > The worm looks for all EXE files listed in registry key tree: > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths > > for EXE files on shared network drives, and infects them (except > Winzip32.exe). In some cases that routine is not activated, and EXE files may > stay not infected. > > While infecting the worm replaces victim file with its own copy, then puts > original (victim) file to its (worm's) resources (PE EXE Resources). As a > result the infected EXE file looks like that: > > Header > Code section > Data section > Resources section: > some worm resources > victim EXE file (as is) <--- here is original file > some other worm resources > Relocation table > > When such file is start, the worm in additional to other routines (installing > and spreding) also extracts victim EXE file original body and spawns it. > > > Spreading - local network > ------------------------- > The worm scans local and shared (mapped) remote drives by three different > manners, and infects all accessible directories in there. While affecting the > worm creates .EML (in 95% of cases) or .NWS (in 5%) files with random selected > names. As a result these EML and NWS files are everywhere on affected machine > (and in local network), there may be thousands of them. These files contain > worm copy in e-mail form. > > The e-mail form is HTML email message with worm copy in MIME envelope, and > with IFRAME trick, as it is described above. Being opened that message > immediately infects vulnerable machine. > > > Spreading - Web sites > --------------------- > On local machine the worm scans all fixed drives and looks for following > filename+extension combinations: > > *DEFAULT* , *INDEX* , *MAIN* , *README* + .HTML, .HTM, .ASP > > (*NAME* means that may be substring in file name). I.e. worm looks for > standard Web-page files. > > In case such file is found, the worm copies its copy in e-mail form to there > with README.EML name and appends to victim HTM/ASP file a JavaScript program > that just opens the README.EML file when HTML/ASP file is being opened, and > activates the worm as a result. > > As a result the worm affects Web pages and may spread to machines that visit > these Webs - vulnerable machines can get infection while just browsing > infected Web site. > > > Spreading - IIS attack > ---------------------- > To upload its file to victim machine the worm uses so-called "Web Directory > Traversal exploit", activates temporary TFTP server on infected (current) > machine to process "get data" command from victim (remote) machine, exactly > the same way the {"BlueCode":IISWorm_BlueCode} IIS worm does. > > As a result the worm uploads to victim machine its copy with ADMIN.DLL name, > and activates it in there. > > To infect other IIS servers the worm starts more 60 or 200 threads (background > processes, their number depends on different conditions), then each thread > scans random selected IP addresses and tries to attack them. > > > Payloads > -------- > The payload routine adds "Guest" user to Administrators UserGroup (as a > result "Guest" user has full access to infected machine). The worm also opens > all local drives for sharing and removes security settings. > > The affected registry keys here are: > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\ > Flags = > Parm1enc = > Parm2enc = > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\X$ > Flags = > Parm1enc = > Parm2enc = > Path = > Remark = > Type = > > where "X$" are "C$", "D$", e.t.c. > > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced > Hidden > ShowSuperHidden > HideFileExt > > These keys are deleted: > > HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security > > > Side Effects > ------------ > Auto-signature HTML file may be affected as well by JavaScript, as it is > described above. As a result all messages that are sent from infected machine > will have worm's JavaScript attached to the end of signature. So the worm can > spread in "KakWorm" way (see {"KakWorm":WS_KakWorm}). > -- > Costin RAIU, Data Security Expert - Kaspersky Labs --- Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to unsubscribe from this list.
