[FUGSPBR] Virus Nimda

[Nelson Novaes Neto]

Executive Summary
-----------------

A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept
Virus, Code Rainbow) began to proliferate the morning of September 18,
2001 on an extremely large scale.  It utilizes multiple IIS
vulnerabilities to propagate via the web, and Outlook and Outlook
Express
vulnerabilities to distribute itself through email.  It spreads through
three different means; as an email attachment, a web defacement
download,
and by directly targeting machines by exploiting known IIS
vulnerabilities
such as the ones exploited by Code Red and Code Blue.  There has been
one
report thus far of an Apache Server crashing due to Nimda terminating
httpd processes.  No further corroboration has been made that this worm
may have in the inadvertent affect of creating a denial of service
condition on Apache Servers.  Multiple sources have confirmed that this
worm consumes a large amount of bandwidth and impaired performance on
web
servers is a result.  It should be noted that this worm began to
proliferate almost exactly a week since the terrorist activities began
to
take place in the United States.

Currently, anti-virus software does not detect this worm due to the
recent
nature of its proliferation.

The Nimda Worm exploits the following vulnerabilities:

Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
http://www.securityfocus.com/bid/1565

Microsoft IIS/PWS Escaped Characters Decoding Command Execution
Vulnerability
http://www.securityfocus.com/bid/1806

Microsoft IE MIME Header Attachment Execution Vulnerability
http://www.securityfocus.com/bid/2524

Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
http://www.securityfocus.com/bid/2708

Microsoft Index Server and Indexing Service ISAPI Extension Buffer
Overflow Vulnerability
http://www.securityfocus.com/bid/2880

Action Items
------------
Apply the appropriate patches listed in the 'Patches' section below.  In
addition, any IIS servers still vulnerable to the Unicode hole, or that
have the root.exe backdoor present should be taken off-line until they
can
be rebuilt.

Associated Vulnerability:
Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
Microsoft IIS/PWS Escaped Characters Decoding Command Execution
Vulnerability
Microsoft IE MIME Header Attachment Execution Vulnerability
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
Microsoft Index Server and Indexing Service ISAPI Extension Buffer
Overflow Vulnerability

Associated Bugtraq ID:  1565, 1806, 2524, 2708, 2880

Urgency:        High

Ease of Exploit:        Automatic

Associated Operating Systems:   Microsoft Windows NT 4.0, Windows 2000

Technical Overview
------------------
This worm takes advantage of two vulnerabilities, and one backdoor.  The
worm spreads via e-mail and the web.  For the e-mail vector, it arrives
in
the user's inbox as a message with a variable subject line.  In the
e-mail, there is an attachment named readme.exe.  This worm formats the
e-mail in such a way as to take advantage of a hole in older versions of
Internet Explorer.  Outlook mail clients use the Internet Explorer
libraries to display HTML e-mail, so by extension Outlook and Outlook
Express are vulnerable as well, if Internet Explorer is vulnerable.  The
hole allows the readme.exe program to execute automatically as soon as
the
e-mail is previewed or read.

Once it has infected a new victim, it mails copies of itself to other
potential victims, and begins scanning for vulnerable IIS Web servers.
When scanning for vulnerable IIS servers, it uses both the Unicode hole
as
well as trying the root.exe backdoor left by Code Red II.  Once it finds
a
vulnerable IIS server, it installs itself in such a way that visitors to
the now-infected web site will be sent a copy of a .eml file, which is a
copy of the e-mail that gets sent.  If the victim is using Internet
Explorer as their browser, and they are vulnerable to the hole, they
will
execute the readme.exe attachment in the same way as if they had viewed
an
infected e-mail message.

Corroboration
-------------
Multiple Anti-Virus vendors have released an alert on this worm:

McAfee
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209

Sophos
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html


Symantec
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

Patches
-------
IIS Lockdown Tool
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp

Microsoft Security Bulletin MS01-020
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

Microsoft Security Bulletin MS01-026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp

Microsoft Security Bulletin MS01-033
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

Microsoft Security Bulletin MS00-057
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-057.asp

Microsoft Security Bulletin MS00-078
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-078.asp

Attack Data
-----------
Examination of the source of the worm reveals the following attack
strings
used to exploit IIS Web servers.

'/scripts/..%255c..'
'/_vti_bin/..%255c../..%255c../..%255c..'
'/_mem_bin/..%255c../..%255c../..%255c..'
'/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
'/scripts/..%c1%1c..'
'/scripts/..%c0%2f..'
'/scripts/..%c0%af..'
'/scripts/..%c1%9c..'
'/scripts/..%%35%63..'
'/scripts/..%%35c..'
'/scripts/..%25%35%63..'
'/scripts/..%252f..'

To those strings are added /winnt/system32/cmd.exe?/c+dir

Other attacks include:

'/scripts/root.exe?/c+dir'
'/MSADC/root.exe?/c+dir'

-- 
Nelson Novaes Neto
Analista de Rede
Zip.net
----
Para sair da lista envie um e-mail para majordomo em fugspbr.org
com as palavras "unsubscribe fugspbr" no corpo da mensagem.