Ironworks Gaming Forum - View Single Post

nick1979 · 09-19-2001, 07:55 PM

This worm was found on September 18th, 2001. It quickly spread around
> the world. Nimda is a complex virus with a mass mailing worm component
> which spreads itself in attachments named README.EXE. If affects
> Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000
> users. Nimda is the first worm to modify existing web sites to start
> offering infected files for download. Also it is the first worm to use
> normal end user machines to scan for vulnerable web sites. This
> technique enables Nimda to easily reach intranet web sites located
> behind firewalls - something worms such as Code Red couldn't directly
> do. Nimda uses the Unicode exploit to infect IIS web servers. This
> hole can be closed with a Microsoft patch, downloadable from:
>
> TECHNICAL DETAILS
> Nimda is a complex mass-mailer, network worm and virus. It is a 57kb PE
> DLL file with an EXE extension.
> When run the worm first checks the name of the file it was run from. If
> the name of worm's file is ADMIN.DLL, the worm creates a mutex with
> 'fsdhqherwqi2001' name, copies itself as MMC.EXE into \Windows\ directory
> and starts this file with '-qusery9bnow' command line. If the worm is
> started from README.EXE file (or a file that has more than 5 symbols in
> its name and EXE extension) the worm copies itself to temporary folder
> with a random name and runs itself there with '-dontrunold' command line
> option.
> If the worm is run for the first time (as README.EXE) it loads itself as a
> library, looks for some resource there and checks its size. If the
> resource size is less than 100, the worm unloads itself, otherwise the
> worm checks if it was launched from a hard drive and deletes its file in
> case it was launched from other type of media. If the worm's file that is
> delete is locked, the worm creates WININIT.INI file that will delete the
> worm's file on next Windows startup. If the worm was launched from a hard
> drive, it checks one of its resources, extracts it to a file and launches
> it. Checking the resource size is done to be able to detect if a worm runs
> from and infected EXE file. In this case the original executable part is
> extracted and run by the worm to disguise its presence.
> Then the worm gets current time and generates a random number. After
> performing multiplication and division with this number the worm checks
> the result. If a result is bigger than worm's counter, the worm starts to
> search and delete README*.EXE files in temporary folder.
> The worm tries to create the
> [SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces] key in the
> Registry. It also queries 'NameServer' value from
> [System\CurrentControlSet\Services\VxD\MSTCP] key. After that the worm
> updates its resources and deletes and re-creates its file. If the file is
> locked, the worm creates WININIT.INI file that will delete the previously
> locked file on next Windows startup.
> After that the worm prepares its MIME-encoded copy by extrating a
> pre-defined multi-partite message from its body and appending its
> MIME-encoded copy to it. The file with a random name is created in
> temporary folder.
> The worm looks for EXPLORER process, opens it and assigns its process as
> remote thread of Explorer. Then the worm gets API creates a mutex with
> 'fsdhqherwqi2001' name, startups Winsock services, gets an infected
> computer (host) info and sleeps for some time. When resumed, the worm
> checks what platform it is running. If it is running on NT-based system,
> it compacts its memory blocks to occupy less space in memory and copies
> itself as LOAD32.EXE to Windows system directory. Then it modifies
> SYSTEM.INI file by adding the following string after SHELL= variable in
> [Boot] section:
>
> explorer.exe load.exe -dontrunold
> This will start the worm's copy every time Windows starts. The worm
> also copies itself as RICHED32.DLL file to system folder and sets
> hidden and system attributes to this file as well as to LOAD.EXE file.
> Then the worm enumerates shared network resources and scarts to
> recursively scan files on remote systems. If the worm finds an EXE
> file on a remote system, it reads the file, deletes it and then writes
> a new file where the worm body is placed first and the original EXE
> file is present as a resource. Later when this affected file will be
> run, the worm will extract the EXE file resource and run it. The worm
> checks the file name for 'WinZip32.exe' and doesn't affect this file
> if it is found. When searching for files in remote systems the worm
> collects names of DOC files and then copies its file to folders where
> DOC files are located with RICHED32.DLL name. The copied file has
> system and hidden attributes. This is done to increase the chances of
> worm activation on remote systems as Windows' original RICHED32.DLL
> component is used to open OLE files. But instead the worm's
> RICHED32.DLL file will be launched as Windows first checks current
> directory for needed DLLs. Also when the worm browsing the remote
> computers' directories it creates .EML and .NWS (rarely) files that
> have the names of document files that the worm could find on a remote
> system. These .EML and .NWS files are worm's multi-partite messages
> with a worm MIME-encoded in them. When scanning the worm can also
> delete the .EML and .NWS files it previously created. The worm adjusts
> the properties of Windows Explorer, it accesses
> [Software\Microsoft\Windows\CurrentVersion\Explorer \Advanced] key and
> adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt' keys. This
> affects Windows' (especially ME and 2000) ability to show hidden files
> - worm's files will not be seen in Explorer any more. After that the
> worm adds a 'guest' account to infected system account list, activates
> this account, adds it to 'Administrator' and 'Guests' groups and
> shares C:\ drive with full access priviledges. The worm also deletes
> all subkeys from
> [SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res\Security] key
> to disable sharing security. The worm accesses
> [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads
> subkeys from there and affects all files listed in the subkeys the
> same way it does affect remote EXE files (see above). The worm doesn't
> only infect WinZip32.exe file. Also the worm reads user's personal
> folders from [Software\Microsoft\Windows\CurrentVersion\Explorer \Shell
> Folders] key and infects files in these folders as well. Finally the
> worm starts to search local hard drives for HTML, .ASP, and .HTM files
> and also for files with 'DEFAULT', 'INDEX', 'MAIN' and 'README' words
> in their filenames and if such files are found, the worm creates
> README.EML file (which is the multi-partite message with MIME-encoded
> worm) in the same directory and adds a small JavaScript code to the
> end of found files. That JavaScript code would open README.EML file
> when the infected HTML file is loaded by a web browser. As a result
> the MIME-encoded wor m will get activated because of a security hole
> and a system will get infected. It should be noted that the worm will
> not always do the above described operation, it depends on a random
> number the worm generates prior to this action. The worm's file runs
> from a minimized window when downloaded from an infected webserver.
> This technique affects users who are browsing the web with Internet
> Explorer 5.0 or 5.01. E-Mail spreading:
> The worm searches trough all the '.htm' and '.html' file in the Temporary
> Internet Files folder for e-mail addresses. It reads trough user's inbox
> and collects the sender addresses. When the address list is ready it uses
> it's own SMTP engine to send the infected messages.
> IIS spreading:
> The worm uses backdoors on IIS servers such as the one CodeRed II
> installs. It scans random IP addresses for these backdoors. When a host is
> found to have one the worm instructs the machine to download the worm code
> (Admin.dll) from the host used for scanning. After this it executes the
> worm on the target machine this way infecting it.
> The worm has a copyright text string that is never displayed:
>
> Concept Virus(CV) V.5, Copyright(C)2001 R.P.China <<...OLE_Obj...>>
> It should be said that the worm has bugs that cause crashes or inability
> to spread itself in certain conditions.
> F-Secure Anti-Virus detects the worm with updates released at September
> 18th, 2001 19:20 EET.
> [Analysis: Katrin Tocheva, Gergely Erdelyi, Alexey Podrezov, Sami
> Rautiainen and Mikko Hypponen; F-Secure Corp.; September 18th, 2001]

------------------

TD..TD...

09-19-2001, 07:55 PM	#1
nick1979 Zhentarim Guard Join Date: April 11, 2001 Location: Murfreesboro, TN, USA Age: 45 Posts: 333	This worm was found on September 18th, 2001. It quickly spread around > the world. Nimda is a complex virus with a mass mailing worm component > which spreads itself in attachments named README.EXE. If affects > Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 > users. Nimda is the first worm to modify existing web sites to start > offering infected files for download. Also it is the first worm to use > normal end user machines to scan for vulnerable web sites. This > technique enables Nimda to easily reach intranet web sites located > behind firewalls - something worms such as Code Red couldn't directly > do. Nimda uses the Unicode exploit to infect IIS web servers. This > hole can be closed with a Microsoft patch, downloadable from: > > TECHNICAL DETAILS > Nimda is a complex mass-mailer, network worm and virus. It is a 57kb PE > DLL file with an EXE extension. > When run the worm first checks the name of the file it was run from. If > the name of worm's file is ADMIN.DLL, the worm creates a mutex with > 'fsdhqherwqi2001' name, copies itself as MMC.EXE into \Windows\ directory > and starts this file with '-qusery9bnow' command line. If the worm is > started from README.EXE file (or a file that has more than 5 symbols in > its name and EXE extension) the worm copies itself to temporary folder > with a random name and runs itself there with '-dontrunold' command line > option. > If the worm is run for the first time (as README.EXE) it loads itself as a > library, looks for some resource there and checks its size. If the > resource size is less than 100, the worm unloads itself, otherwise the > worm checks if it was launched from a hard drive and deletes its file in > case it was launched from other type of media. If the worm's file that is > delete is locked, the worm creates WININIT.INI file that will delete the > worm's file on next Windows startup. If the worm was launched from a hard > drive, it checks one of its resources, extracts it to a file and launches > it. Checking the resource size is done to be able to detect if a worm runs > from and infected EXE file. In this case the original executable part is > extracted and run by the worm to disguise its presence. > Then the worm gets current time and generates a random number. After > performing multiplication and division with this number the worm checks > the result. If a result is bigger than worm's counter, the worm starts to > search and delete README*.EXE files in temporary folder. > The worm tries to create the > [SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces] key in the > Registry. It also queries 'NameServer' value from > [System\CurrentControlSet\Services\VxD\MSTCP] key. After that the worm > updates its resources and deletes and re-creates its file. If the file is > locked, the worm creates WININIT.INI file that will delete the previously > locked file on next Windows startup. > After that the worm prepares its MIME-encoded copy by extrating a > pre-defined multi-partite message from its body and appending its > MIME-encoded copy to it. The file with a random name is created in > temporary folder. > The worm looks for EXPLORER process, opens it and assigns its process as > remote thread of Explorer. Then the worm gets API creates a mutex with > 'fsdhqherwqi2001' name, startups Winsock services, gets an infected > computer (host) info and sleeps for some time. When resumed, the worm > checks what platform it is running. If it is running on NT-based system, > it compacts its memory blocks to occupy less space in memory and copies > itself as LOAD32.EXE to Windows system directory. Then it modifies > SYSTEM.INI file by adding the following string after SHELL= variable in > [Boot] section: > > explorer.exe load.exe -dontrunold > This will start the worm's copy every time Windows starts. The worm > also copies itself as RICHED32.DLL file to system folder and sets > hidden and system attributes to this file as well as to LOAD.EXE file. > Then the worm enumerates shared network resources and scarts to > recursively scan files on remote systems. If the worm finds an EXE > file on a remote system, it reads the file, deletes it and then writes > a new file where the worm body is placed first and the original EXE > file is present as a resource. Later when this affected file will be > run, the worm will extract the EXE file resource and run it. The worm > checks the file name for 'WinZip32.exe' and doesn't affect this file > if it is found. When searching for files in remote systems the worm > collects names of DOC files and then copies its file to folders where > DOC files are located with RICHED32.DLL name. The copied file has > system and hidden attributes. This is done to increase the chances of > worm activation on remote systems as Windows' original RICHED32.DLL > component is used to open OLE files. But instead the worm's > RICHED32.DLL file will be launched as Windows first checks current > directory for needed DLLs. Also when the worm browsing the remote > computers' directories it creates .EML and .NWS (rarely) files that > have the names of document files that the worm could find on a remote > system. These .EML and .NWS files are worm's multi-partite messages > with a worm MIME-encoded in them. When scanning the worm can also > delete the .EML and .NWS files it previously created. The worm adjusts > the properties of Windows Explorer, it accesses > [Software\Microsoft\Windows\CurrentVersion\Explorer \Advanced] key and > adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt' keys. This > affects Windows' (especially ME and 2000) ability to show hidden files > - worm's files will not be seen in Explorer any more. After that the > worm adds a 'guest' account to infected system account list, activates > this account, adds it to 'Administrator' and 'Guests' groups and > shares C:\ drive with full access priviledges. The worm also deletes > all subkeys from > [SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res\Security] key > to disable sharing security. The worm accesses > [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads > subkeys from there and affects all files listed in the subkeys the > same way it does affect remote EXE files (see above). The worm doesn't > only infect WinZip32.exe file. Also the worm reads user's personal > folders from [Software\Microsoft\Windows\CurrentVersion\Explorer \Shell > Folders] key and infects files in these folders as well. Finally the > worm starts to search local hard drives for HTML, .ASP, and .HTM files > and also for files with 'DEFAULT', 'INDEX', 'MAIN' and 'README' words > in their filenames and if such files are found, the worm creates > README.EML file (which is the multi-partite message with MIME-encoded > worm) in the same directory and adds a small JavaScript code to the > end of found files. That JavaScript code would open README.EML file > when the infected HTML file is loaded by a web browser. As a result > the MIME-encoded wor m will get activated because of a security hole > and a system will get infected. It should be noted that the worm will > not always do the above described operation, it depends on a random > number the worm generates prior to this action. The worm's file runs > from a minimized window when downloaded from an infected webserver. > This technique affects users who are browsing the web with Internet > Explorer 5.0 or 5.01. E-Mail spreading: > The worm searches trough all the '.htm' and '.html' file in the Temporary > Internet Files folder for e-mail addresses. It reads trough user's inbox > and collects the sender addresses. When the address list is ready it uses > it's own SMTP engine to send the infected messages. > IIS spreading: > The worm uses backdoors on IIS servers such as the one CodeRed II > installs. It scans random IP addresses for these backdoors. When a host is > found to have one the worm instructs the machine to download the worm code > (Admin.dll) from the host used for scanning. After this it executes the > worm on the target machine this way infecting it. > The worm has a copyright text string that is never displayed: > > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China <<...OLE_Obj...>> > It should be said that the worm has bugs that cause crashes or inability > to spread itself in certain conditions. > F-Secure Anti-Virus detects the worm with updates released at September > 18th, 2001 19:20 EET. > [Analysis: Katrin Tocheva, Gergely Erdelyi, Alexey Podrezov, Sami > Rautiainen and Mikko Hypponen; F-Secure Corp.; September 18th, 2001] ------------------ TD..TD...