New (More) Annoying Microsoft Worm Hits Net

← Back to Stories (view on slashdot.org)

New (More) Annoying Microsoft Worm Hits Net

Posted by CmdrTaco on Tuesday September 18, 2001 @03:10AM from the what-a-pain-in-the-arse dept.

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

3 of 1,163 comments (clear)

Min score:

Reason:

Sort:

Bah.....Stupid Windows by LinuxHeadMN · 2001-09-18 04:00 · Score: 0, Redundant

Bah...I'm seeing about 8000 hits/sec on some of my bigger webservers. Thank god I have multiple oc-12's here at work.

40mb access_log file and growing.....

Thank god for Linux.
Text of Newsbytes Article by Staciebeth · 2001-09-18 05:46 · Score: 0, Redundant

By Brian McWilliams, Newsbytes

CAMBRIDGE, MASSACHUSETTS, U.S.A.
18 Sep 2001, 11:18 AM CST

A new, malicious worm targeting Microsoft Web servers is in the wild and is frenetically scanning the Internet, security experts said today.

Starting this morning, numerous system administrators have observed a dramatic increase in probes from remote systems, according to reports on several mailing lists. The probes, coming sometimes hundreds per minute, appear to be attempting to access several commonly exploited files on sites running Microsoft's Internet Information Server.

According to Johannes Ullrich, operator of the Dshield.org intrusion reporting service, the scans are already tying up some networks.

"For the last few hours, systems are getting hammered with every IIS exploit on the book. Even though most of these exploits are useless, the bandwidth consumed is large," said Ullrich.

Anti-virus researchers at Symantec have released a preliminary analysis of the worm, which they have dubbed "W32.Nimda.A@mm." According to the firm, besides scanning for vulnerable IIS systems, the worm appears to use e-mail to propagate itself, arriving in a file attachment named "readme.exe." The worm also opens up the computer's hard disk as a network share.

According to Elias Levy, chief technology officer for SecurityFocus, the new worm is "very aggressive" and appears to be using elements of several earlier worms.

Log files posted by participants in one mailing list reveal that infected systems attempt "Get" requests to more than a dozen files on target servers. Among the files is root.exe, a program created by two previous worms, Sadmind and Code Red II. Also targeted is cmd.exe, the command program or "shell" installed on all Windows NT systems. The scans also access a file called "admin.dll" which is used by Microsoft's FrontPage product.

While the worm is likely only to infect IIS systems, its probes are consuming resources and bandwidth of all types of Internet-connected devices, according to reports from administrators.

The Computer Emergency Response Team (CERT) said it has begun receiving reports today of a "massive increase in scanning directed at port 80."

Ten days ago, malicious code experts identified a new self-propagating worm which they dubbed Code Blue. Because it exploits a nearly year-old flaw in Microsoft's IIS software known as the Web Server Folder Traversal vulnerability, experts said they did not expect Code Blue to spread widely.

Symantec said Nimda appears to attempt to spread using the same vulnerability as Code Blue.

In an advisory released Monday, the FBI's National Infrastructure Protection Center warned that it expects an increase in denial of service attacks from pro-American vigilantes in the wake of the terrorist attacks on New York and Washington, D.C., last week.

Symantec's information on Nimbda is at
http://www.sarc.com/avcenter/venc/data/w32.nimda.a @mm.html

NIPC's advisory on potential denial of service attacks is at http://www.nipc.gov/warnings/advisories/2001/01-02 1.htm .

Reported by Newsbytes, http://www.newsbytes.com .
11:18 CST
Reposted 11:47 CST
Name of the virus by mglcel · 2001-09-18 11:25 · Score: 0, Redundant

I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav. after hexadecimal dump, i've noticed this string : "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the code i can found : 00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255| 00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..| 00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi| 00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2| _vti_bin and _mem_bin are part of my apache access logs : 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249 major part of the mail can be found in the hex dump as : 000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....| 000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.| 000092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--| which is the code of the html part of the mail, or : 00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co| 00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi| 00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=| 00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co| 00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E| 000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.| 000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID: .......| which corresponds to the mail : &nbsp; &nbsp; I 3 readme.exe [audio/x-wav, base64, 75K] (mutt output) I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org. I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).