Visit the Ironworks Gaming Website Email the Webmaster Graphics Library Rules and Regulations Help Support Ironworks Forum with a Donation to Keep us Online - We rely totally on Donations from members Donation goal Meter

Ironworks Gaming Radio

Ironworks Gaming Forum

Go Back   Ironworks Gaming Forum > Ironworks Gaming Forums > General Discussion > General Conversation Archives (11/2000 - 01/2005)

 
 
Thread Tools Search this Thread
Old 09-19-2001, 07:55 PM   #1
nick1979
Zhentarim Guard
 

Join Date: April 11, 2001
Location: Murfreesboro, TN, USA
Age: 43
Posts: 333
This worm was found on September 18th, 2001. It quickly spread around
> the world. Nimda is a complex virus with a mass mailing worm component
> which spreads itself in attachments named README.EXE. If affects
> Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000
> users. Nimda is the first worm to modify existing web sites to start
> offering infected files for download. Also it is the first worm to use
> normal end user machines to scan for vulnerable web sites. This
> technique enables Nimda to easily reach intranet web sites located
> behind firewalls - something worms such as Code Red couldn't directly
> do. Nimda uses the Unicode exploit to infect IIS web servers. This
> hole can be closed with a Microsoft patch, downloadable from:
>
> TECHNICAL DETAILS
> Nimda is a complex mass-mailer, network worm and virus. It is a 57kb PE
> DLL file with an EXE extension.
> When run the worm first checks the name of the file it was run from. If
> the name of worm's file is ADMIN.DLL, the worm creates a mutex with
> 'fsdhqherwqi2001' name, copies itself as MMC.EXE into \Windows\ directory
> and starts this file with '-qusery9bnow' command line. If the worm is
> started from README.EXE file (or a file that has more than 5 symbols in
> its name and EXE extension) the worm copies itself to temporary folder
> with a random name and runs itself there with '-dontrunold' command line
> option.
> If the worm is run for the first time (as README.EXE) it loads itself as a
> library, looks for some resource there and checks its size. If the
> resource size is less than 100, the worm unloads itself, otherwise the
> worm checks if it was launched from a hard drive and deletes its file in
> case it was launched from other type of media. If the worm's file that is
> delete is locked, the worm creates WININIT.INI file that will delete the
> worm's file on next Windows startup. If the worm was launched from a hard
> drive, it checks one of its resources, extracts it to a file and launches
> it. Checking the resource size is done to be able to detect if a worm runs
> from and infected EXE file. In this case the original executable part is
> extracted and run by the worm to disguise its presence.
> Then the worm gets current time and generates a random number. After
> performing multiplication and division with this number the worm checks
> the result. If a result is bigger than worm's counter, the worm starts to
> search and delete README*.EXE files in temporary folder.
> The worm tries to create the
> [SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces] key in the
> Registry. It also queries 'NameServer' value from
> [System\CurrentControlSet\Services\VxD\MSTCP] key. After that the worm
> updates its resources and deletes and re-creates its file. If the file is
> locked, the worm creates WININIT.INI file that will delete the previously
> locked file on next Windows startup.
> After that the worm prepares its MIME-encoded copy by extrating a
> pre-defined multi-partite message from its body and appending its
> MIME-encoded copy to it. The file with a random name is created in
> temporary folder.
> The worm looks for EXPLORER process, opens it and assigns its process as
> remote thread of Explorer. Then the worm gets API creates a mutex with
> 'fsdhqherwqi2001' name, startups Winsock services, gets an infected
> computer (host) info and sleeps for some time. When resumed, the worm
> checks what platform it is running. If it is running on NT-based system,
> it compacts its memory blocks to occupy less space in memory and copies
> itself as LOAD32.EXE to Windows system directory. Then it modifies
> SYSTEM.INI file by adding the following string after SHELL= variable in
> [Boot] section:
>
> explorer.exe load.exe -dontrunold
> This will start the worm's copy every time Windows starts. The worm
> also copies itself as RICHED32.DLL file to system folder and sets
> hidden and system attributes to this file as well as to LOAD.EXE file.
> Then the worm enumerates shared network resources and scarts to
> recursively scan files on remote systems. If the worm finds an EXE
> file on a remote system, it reads the file, deletes it and then writes
> a new file where the worm body is placed first and the original EXE
> file is present as a resource. Later when this affected file will be
> run, the worm will extract the EXE file resource and run it. The worm
> checks the file name for 'WinZip32.exe' and doesn't affect this file
> if it is found. When searching for files in remote systems the worm
> collects names of DOC files and then copies its file to folders where
> DOC files are located with RICHED32.DLL name. The copied file has
> system and hidden attributes. This is done to increase the chances of
> worm activation on remote systems as Windows' original RICHED32.DLL
> component is used to open OLE files. But instead the worm's
> RICHED32.DLL file will be launched as Windows first checks current
> directory for needed DLLs. Also when the worm browsing the remote
> computers' directories it creates .EML and .NWS (rarely) files that
> have the names of document files that the worm could find on a remote
> system. These .EML and .NWS files are worm's multi-partite messages
> with a worm MIME-encoded in them. When scanning the worm can also
> delete the .EML and .NWS files it previously created. The worm adjusts
> the properties of Windows Explorer, it accesses
> [Software\Microsoft\Windows\CurrentVersion\Explorer \Advanced] key and
> adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt' keys. This
> affects Windows' (especially ME and 2000) ability to show hidden files
> - worm's files will not be seen in Explorer any more. After that the
> worm adds a 'guest' account to infected system account list, activates
> this account, adds it to 'Administrator' and 'Guests' groups and
> shares C:\ drive with full access priviledges. The worm also deletes
> all subkeys from
> [SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res\Security] key
> to disable sharing security. The worm accesses
> [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads
> subkeys from there and affects all files listed in the subkeys the
> same way it does affect remote EXE files (see above). The worm doesn't
> only infect WinZip32.exe file. Also the worm reads user's personal
> folders from [Software\Microsoft\Windows\CurrentVersion\Explorer \Shell
> Folders] key and infects files in these folders as well. Finally the
> worm starts to search local hard drives for HTML, .ASP, and .HTM files
> and also for files with 'DEFAULT', 'INDEX', 'MAIN' and 'README' words
> in their filenames and if such files are found, the worm creates
> README.EML file (which is the multi-partite message with MIME-encoded
> worm) in the same directory and adds a small JavaScript code to the
> end of found files. That JavaScript code would open README.EML file
> when the infected HTML file is loaded by a web browser. As a result
> the MIME-encoded wor m will get activated because of a security hole
> and a system will get infected. It should be noted that the worm will
> not always do the above described operation, it depends on a random
> number the worm generates prior to this action. The worm's file runs
> from a minimized window when downloaded from an infected webserver.
> This technique affects users who are browsing the web with Internet
> Explorer 5.0 or 5.01. E-Mail spreading:
> The worm searches trough all the '.htm' and '.html' file in the Temporary
> Internet Files folder for e-mail addresses. It reads trough user's inbox
> and collects the sender addresses. When the address list is ready it uses
> it's own SMTP engine to send the infected messages.
> IIS spreading:
> The worm uses backdoors on IIS servers such as the one CodeRed II
> installs. It scans random IP addresses for these backdoors. When a host is
> found to have one the worm instructs the machine to download the worm code
> (Admin.dll) from the host used for scanning. After this it executes the
> worm on the target machine this way infecting it.
> The worm has a copyright text string that is never displayed:
>
> Concept Virus(CV) V.5, Copyright(C)2001 R.P.China <<...OLE_Obj...>>
> It should be said that the worm has bugs that cause crashes or inability
> to spread itself in certain conditions.
> F-Secure Anti-Virus detects the worm with updates released at September
> 18th, 2001 19:20 EET.
> [Analysis: Katrin Tocheva, Gergely Erdelyi, Alexey Podrezov, Sami
> Rautiainen and Mikko Hypponen; F-Secure Corp.; September 18th, 2001]

------------------

TD..TD...
nick1979 is offline  
Old 09-19-2001, 07:59 PM   #2
Redblueflare
Galvatron
 

Join Date: May 9, 2001
Location: The backwoods in Georgia *sigh*
Age: 38
Posts: 2,151
Thanks Nick! I'll be cautious....

------------------
Everyone is entitled to their own opinion, I just don't have to listen.
Redblueflare is offline  
Old 09-19-2001, 08:00 PM   #3
nick1979
Zhentarim Guard
 

Join Date: April 11, 2001
Location: Murfreesboro, TN, USA
Age: 43
Posts: 333
No problem...This wiped us out at work today!

------------------

TD..TD...
nick1979 is offline  
Old 09-19-2001, 08:02 PM   #4
250
Horus - Egyptian Sky God
 

Join Date: March 4, 2001
Location: either CA or MO
Age: 40
Posts: 2,674
damn... I just wrote this virus yesterday, now the warning is already out... sux
250 is offline  
Old 09-19-2001, 08:03 PM   #5
Ladyzekke
Ironworks Atomic Moderator
 

Join Date: January 7, 2001
Location: Virginia, U.S.A.
Age: 55
Posts: 9,005
Can't believe some low life is making viruses at a time like this, is sick. Thanks for the info Nick, I'll be cautious and keep an eye out...

------------------
Ladyzekke is offline  
Old 09-19-2001, 08:06 PM   #6
nick1979
Zhentarim Guard
 

Join Date: April 11, 2001
Location: Murfreesboro, TN, USA
Age: 43
Posts: 333
Quote:
Originally posted by 250:
damn... I just wrote this virus yesterday, now the warning is already out... sux
LOL!!!


------------------

TD..TD...
nick1979 is offline  
Old 09-19-2001, 08:15 PM   #7
250
Horus - Egyptian Sky God
 

Join Date: March 4, 2001
Location: either CA or MO
Age: 40
Posts: 2,674
shit, i just saw something like this yesterday, it asks meif i want to download "Readme.exe" file, luckily i cliked cancel... is that what you talking about?
250 is offline  
Old 09-19-2001, 08:20 PM   #8
nick1979
Zhentarim Guard
 

Join Date: April 11, 2001
Location: Murfreesboro, TN, USA
Age: 43
Posts: 333
Quote:
Originally posted by 250:
shit, i just saw something like this yesterday, it asks meif i want to download "Readme.exe" file, luckily i cliked cancel... is that what you talking about?

Yea that the one man..It F*cks shit up!


------------------

TD..TD...
nick1979 is offline  
Old 09-19-2001, 08:26 PM   #9
Staralfur
Baaz Draconian
 

Join Date: April 8, 2001
Location: Nottingham, UK
Age: 42
Posts: 786
Larry_OHF posted a warning about his earlier, he thought he might have sent it out to people he knew here. There's a thread around with the details somewhere.
Staralfur is offline  
Old 09-19-2001, 10:46 PM   #10
Larry_OHF
Ironworks Moderator
 

Join Date: March 1, 2001
Location: Midlands, South Carolina
Age: 46
Posts: 14,759
This is what I had said about it, earlier...
Quote:
Someone malisciously planted a virus into our company and Wake Forest this morning.
Some of you saw me on here this morning at work, posting.
About 9:30am, I get a screen that asks me to open a file from current location or save to disk. I thought it was something that Ziroc had new for the forum, so I said run from location (saftey precaution I choose to play)...An error came on, saying that explorer could not read file #0000, etc...and terminated without downloading. About 10 minutes after that, we had help desk techs running around asking us all to shut down our PCs.
The virus did not come in an e-mail, it came straight from our home page, attached to the web browser. Anyone that logged on to the net this morning was a possible infection. I did not know whether or not any of you escaped this browser virus, since I was online with some of you...Anyway, my PC is still down because the Virus experts are still working on identifying it...
Just remember...If the screen comes up and asks you to download something from some unknown source, don't open it.

I suspect (as do our executives), that this was done to attack our company, and Wake Forest in particular..

------------------

Most recent information. Please read...
The virus was sent to companies with Internet Servers.
Yet, anyone that logged onto one of these servers can infect their home PC, and thus spread it to other PCs.

The file name is W32/Nimda.eml(ED)

This virus spread world-wide in 30 minutes.



------------------

Father of the wicked but cute child known as MaryBeth

Padre de una niña bien traviosa pero guapa
---------------------
Aisukuríimu ga tabetái desu.
Larry_OHF is offline  
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New AIM virus? Or is it an old one ... Firestormalpha General Discussion 3 09-27-2005 03:39 PM
I think I might have a virus... Luvian General Conversation Archives (11/2000 - 01/2005) 9 09-23-2004 01:20 AM
Virus? Zero Alpha General Conversation Archives (11/2000 - 01/2005) 3 07-29-2004 09:07 AM
NIMDA strikes again! Sazerac General Conversation Archives (11/2000 - 01/2005) 14 09-27-2001 10:35 AM
VIRUS-ALERT get anti virus patch here TheCrimsomBlade General Conversation Archives (11/2000 - 01/2005) 2 09-20-2001 12:17 AM


All times are GMT -4. The time now is 07:52 PM.


Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
©2022 Ironworks Gaming & ©2022 The Great Escape Studios TM - All Rights Reserved