09-19-2001, 07:55 PM | #1 |
Zhentarim Guard
Join Date: April 11, 2001
Location: Murfreesboro, TN, USA
Age: 45
Posts: 333
|
This worm was found on September 18th, 2001. It quickly spread around
> the world. Nimda is a complex virus with a mass mailing worm component > which spreads itself in attachments named README.EXE. If affects > Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 > users. Nimda is the first worm to modify existing web sites to start > offering infected files for download. Also it is the first worm to use > normal end user machines to scan for vulnerable web sites. This > technique enables Nimda to easily reach intranet web sites located > behind firewalls - something worms such as Code Red couldn't directly > do. Nimda uses the Unicode exploit to infect IIS web servers. This > hole can be closed with a Microsoft patch, downloadable from: > > TECHNICAL DETAILS > Nimda is a complex mass-mailer, network worm and virus. It is a 57kb PE > DLL file with an EXE extension. > When run the worm first checks the name of the file it was run from. If > the name of worm's file is ADMIN.DLL, the worm creates a mutex with > 'fsdhqherwqi2001' name, copies itself as MMC.EXE into \Windows\ directory > and starts this file with '-qusery9bnow' command line. If the worm is > started from README.EXE file (or a file that has more than 5 symbols in > its name and EXE extension) the worm copies itself to temporary folder > with a random name and runs itself there with '-dontrunold' command line > option. > If the worm is run for the first time (as README.EXE) it loads itself as a > library, looks for some resource there and checks its size. If the > resource size is less than 100, the worm unloads itself, otherwise the > worm checks if it was launched from a hard drive and deletes its file in > case it was launched from other type of media. If the worm's file that is > delete is locked, the worm creates WININIT.INI file that will delete the > worm's file on next Windows startup. If the worm was launched from a hard > drive, it checks one of its resources, extracts it to a file and launches > it. Checking the resource size is done to be able to detect if a worm runs > from and infected EXE file. In this case the original executable part is > extracted and run by the worm to disguise its presence. > Then the worm gets current time and generates a random number. After > performing multiplication and division with this number the worm checks > the result. If a result is bigger than worm's counter, the worm starts to > search and delete README*.EXE files in temporary folder. > The worm tries to create the > [SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces] key in the > Registry. It also queries 'NameServer' value from > [System\CurrentControlSet\Services\VxD\MSTCP] key. After that the worm > updates its resources and deletes and re-creates its file. If the file is > locked, the worm creates WININIT.INI file that will delete the previously > locked file on next Windows startup. > After that the worm prepares its MIME-encoded copy by extrating a > pre-defined multi-partite message from its body and appending its > MIME-encoded copy to it. The file with a random name is created in > temporary folder. > The worm looks for EXPLORER process, opens it and assigns its process as > remote thread of Explorer. Then the worm gets API creates a mutex with > 'fsdhqherwqi2001' name, startups Winsock services, gets an infected > computer (host) info and sleeps for some time. When resumed, the worm > checks what platform it is running. If it is running on NT-based system, > it compacts its memory blocks to occupy less space in memory and copies > itself as LOAD32.EXE to Windows system directory. Then it modifies > SYSTEM.INI file by adding the following string after SHELL= variable in > [Boot] section: > > explorer.exe load.exe -dontrunold > This will start the worm's copy every time Windows starts. The worm > also copies itself as RICHED32.DLL file to system folder and sets > hidden and system attributes to this file as well as to LOAD.EXE file. > Then the worm enumerates shared network resources and scarts to > recursively scan files on remote systems. If the worm finds an EXE > file on a remote system, it reads the file, deletes it and then writes > a new file where the worm body is placed first and the original EXE > file is present as a resource. Later when this affected file will be > run, the worm will extract the EXE file resource and run it. The worm > checks the file name for 'WinZip32.exe' and doesn't affect this file > if it is found. When searching for files in remote systems the worm > collects names of DOC files and then copies its file to folders where > DOC files are located with RICHED32.DLL name. The copied file has > system and hidden attributes. This is done to increase the chances of > worm activation on remote systems as Windows' original RICHED32.DLL > component is used to open OLE files. But instead the worm's > RICHED32.DLL file will be launched as Windows first checks current > directory for needed DLLs. Also when the worm browsing the remote > computers' directories it creates .EML and .NWS (rarely) files that > have the names of document files that the worm could find on a remote > system. These .EML and .NWS files are worm's multi-partite messages > with a worm MIME-encoded in them. When scanning the worm can also > delete the .EML and .NWS files it previously created. The worm adjusts > the properties of Windows Explorer, it accesses > [Software\Microsoft\Windows\CurrentVersion\Explorer \Advanced] key and > adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt' keys. This > affects Windows' (especially ME and 2000) ability to show hidden files > - worm's files will not be seen in Explorer any more. After that the > worm adds a 'guest' account to infected system account list, activates > this account, adds it to 'Administrator' and 'Guests' groups and > shares C:\ drive with full access priviledges. The worm also deletes > all subkeys from > [SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res\Security] key > to disable sharing security. The worm accesses > [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads > subkeys from there and affects all files listed in the subkeys the > same way it does affect remote EXE files (see above). The worm doesn't > only infect WinZip32.exe file. Also the worm reads user's personal > folders from [Software\Microsoft\Windows\CurrentVersion\Explorer \Shell > Folders] key and infects files in these folders as well. Finally the > worm starts to search local hard drives for HTML, .ASP, and .HTM files > and also for files with 'DEFAULT', 'INDEX', 'MAIN' and 'README' words > in their filenames and if such files are found, the worm creates > README.EML file (which is the multi-partite message with MIME-encoded > worm) in the same directory and adds a small JavaScript code to the > end of found files. That JavaScript code would open README.EML file > when the infected HTML file is loaded by a web browser. As a result > the MIME-encoded wor m will get activated because of a security hole > and a system will get infected. It should be noted that the worm will > not always do the above described operation, it depends on a random > number the worm generates prior to this action. The worm's file runs > from a minimized window when downloaded from an infected webserver. > This technique affects users who are browsing the web with Internet > Explorer 5.0 or 5.01. E-Mail spreading: > The worm searches trough all the '.htm' and '.html' file in the Temporary > Internet Files folder for e-mail addresses. It reads trough user's inbox > and collects the sender addresses. When the address list is ready it uses > it's own SMTP engine to send the infected messages. > IIS spreading: > The worm uses backdoors on IIS servers such as the one CodeRed II > installs. It scans random IP addresses for these backdoors. When a host is > found to have one the worm instructs the machine to download the worm code > (Admin.dll) from the host used for scanning. After this it executes the > worm on the target machine this way infecting it. > The worm has a copyright text string that is never displayed: > > Concept Virus(CV) V.5, Copyright(C)2001 R.P.China <<...OLE_Obj...>> > It should be said that the worm has bugs that cause crashes or inability > to spread itself in certain conditions. > F-Secure Anti-Virus detects the worm with updates released at September > 18th, 2001 19:20 EET. > [Analysis: Katrin Tocheva, Gergely Erdelyi, Alexey Podrezov, Sami > Rautiainen and Mikko Hypponen; F-Secure Corp.; September 18th, 2001] ------------------ TD..TD... |
09-19-2001, 07:59 PM | #2 |
Galvatron
Join Date: May 9, 2001
Location: The backwoods in Georgia *sigh*
Age: 40
Posts: 2,151
|
Thanks Nick! I'll be cautious....
------------------ Everyone is entitled to their own opinion, I just don't have to listen. |
09-19-2001, 08:00 PM | #3 |
Zhentarim Guard
Join Date: April 11, 2001
Location: Murfreesboro, TN, USA
Age: 45
Posts: 333
|
No problem...This wiped us out at work today!
------------------ TD..TD... |
09-19-2001, 08:02 PM | #4 |
Horus - Egyptian Sky God
Join Date: March 4, 2001
Location: either CA or MO
Age: 42
Posts: 2,674
|
damn... I just wrote this virus yesterday, now the warning is already out... sux
|
09-19-2001, 08:03 PM | #5 |
Ironworks Atomic Moderator
Join Date: January 7, 2001
Location: Virginia, U.S.A.
Age: 57
Posts: 9,005
|
Can't believe some low life is making viruses at a time like this, is sick. Thanks for the info Nick, I'll be cautious and keep an eye out...
------------------ |
09-19-2001, 08:06 PM | #6 | |
Zhentarim Guard
Join Date: April 11, 2001
Location: Murfreesboro, TN, USA
Age: 45
Posts: 333
|
Quote:
------------------ TD..TD... |
|
09-19-2001, 08:15 PM | #7 |
Horus - Egyptian Sky God
Join Date: March 4, 2001
Location: either CA or MO
Age: 42
Posts: 2,674
|
shit, i just saw something like this yesterday, it asks meif i want to download "Readme.exe" file, luckily i cliked cancel... is that what you talking about?
|
09-19-2001, 08:20 PM | #8 | |
Zhentarim Guard
Join Date: April 11, 2001
Location: Murfreesboro, TN, USA
Age: 45
Posts: 333
|
Quote:
Yea that the one man..It F*cks shit up! ------------------ TD..TD... |
|
09-19-2001, 08:26 PM | #9 |
Baaz Draconian
Join Date: April 8, 2001
Location: Nottingham, UK
Age: 44
Posts: 786
|
Larry_OHF posted a warning about his earlier, he thought he might have sent it out to people he knew here. There's a thread around with the details somewhere.
|
09-19-2001, 10:46 PM | #10 | |
Ironworks Moderator
Join Date: March 1, 2001
Location: Midlands, South Carolina
Age: 48
Posts: 14,759
|
This is what I had said about it, earlier...
Quote:
------------------ Father of the wicked but cute child known as MaryBeth Padre de una niña bien traviosa pero guapa --------------------- Aisukuríimu ga tabetái desu. |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
New AIM virus? Or is it an old one ... | Firestormalpha | General Discussion | 3 | 09-27-2005 03:39 PM |
I think I might have a virus... | Luvian | General Conversation Archives (11/2000 - 01/2005) | 9 | 09-23-2004 01:20 AM |
Virus? | Zero Alpha | General Conversation Archives (11/2000 - 01/2005) | 3 | 07-29-2004 09:07 AM |
NIMDA strikes again! | Sazerac | General Conversation Archives (11/2000 - 01/2005) | 14 | 09-27-2001 10:35 AM |
VIRUS-ALERT get anti virus patch here | TheCrimsomBlade | General Conversation Archives (11/2000 - 01/2005) | 2 | 09-20-2001 12:17 AM |