ADVISORY NOTICE ADVISORY NOTICE September 18, 2001 23:00 GMT
Revised: September 21, 2001 23:00 GMT
Revised: September 25, 2001 23:00 GMT
| PROBLEM: | An extremely virulent worm is currently spreading throughout the Internet. It uses multiple methods of infection to spread among both Windows server and user machines. Infection methods include: file infections, mass e-mail of infected attachments, web server attacks, and LAN propagation via shares. |
| PLATFORM: | All Windows platforms including Windows 95, Windows 98, Windows Me,
Windows NT 4, and Windows 2000. Server attacks affect unpatched IIS servers on Windows NT
4 and Windows 2000. Client attacks affect Internet Explorer web browsers and e-mail
readers that use the vulnerable web browsers to view html encoded e-mail. Client attacks
for other mail readers work if the user executes the attachment.
|
| DAMAGE: | Compromised machines attack other machines on the Internet. System and document files are damaged. Network resources will be used which will slow the network. |
| SOLUTION: | Apply patches to uninfected systems. Vulnerable IIS servers should
install the cumulative patch, MS01-044, to protect against the server attacks. Vulnerable
client systems should install or upgrad to one of the following.
Update antivirus software to detect the worm. Compromised machines must be pulled off of the network and rebuilt or cleaned with antivirus software. Cleaning instructions are available from your antivirus vendor. Note: Rebooting will not clean your system of this worm. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. The worm is rapidly spreading throughout the Internet. |
| LINKS | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/l-144.shtml |
| PATCHES: | MS01-044 http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
MS01-020 http://www.microsoft.com/technet/security/bulletin/MS01-020.asp MS01-027 http://www.microsoft.com/technet/security/bulletin/MS01-027.asp Internet Explorer 5.01 Service Pack 2 http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/default.asp Internet Explorer 5.5 Service Pack 2 http://www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/default.asp Internet Explorer 6 http://www.microsoft.com/windows/ie/downloads/ie6/default.asp |
| REFERENCES: | F-Secure http://www.datafellows.com/v-descs/nimda.shtml Microsoft http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/nimda.asp |
[Revised 9/21/01 Added technical details]
[Revised 9/25/01 Added warning about explorer preview]
The W32.nimda worm started spreading on September 18, 2001 and quickly spread throughout the Internet. Unlike the CodeRed worm, which targets only IIS servers, the Nimda worm attacks both servers and client systems using four different propagation methods. Those methods are: file infections, mass e-mail of infected attachments, web server attacks, and LAN propagation via shares. The mixture of capabilities has resulted in a Worm that is very complicated, difficult to analyze, and difficult to repair its damage. The type of attacks performed and damage done is dependent on the name of the worm executable that is run and any command line arguments. The result is that when exmining an infected system you may only see some of the effects listed in this Advisory.
WARNING! When examining an infected system or when examining files taken from an infected system you can be infected by the worm by simply clicking on an infected file. You are vulnerable to this type of infection if your system has one of the vulnerable versions of Internet Explorer and you are using "Web Style" folders. Web style folders automatically preview the selected file in the lower-left corner of the folder window. Previewing the file readme.eml or any infected web page causes the worm to run. If "Web Style" folders are turned off (that is, you are using "Classic Style" folders) or you have a patched version of Internet Explorer you are not vulnerable.
There is an excellent detailed description of the operation of this worm available on the F-Secure website that is summarized here. The worm uses four different methods to propagate itself to other systems: file infections, mass e-mail, web server attacks, and LAN shares.
The Nimda worm infects executable (.EXE) files it finds on systems. This method is similar to more traditional virus infections but with a twist. Instead of attaching the worm code to the beginning or end of the executable, the worm takes the executable code into itself and then renames itself to the name of the infected executable. When the executable is run, the worm runs first, extracts the original executable, and runs it.
Using its own built-in mailer, the worm extracts e-mail addresses from your existing address books, mail in your inbox, and from web pages in your web cache. The e-mails are constructed with no apparent body, faked return addresses, and an attachment called README.EXE. The attachment is a copy of the worm. If you read the e-mail and run the attachment, you will be infected with this worm. On some e-mail readers, the attachment is executed automatically when you simply view the e-mail message. This automatic execution occurs because some e-mail readers use Internet Explorer windows to display html encoded mail messages and the worm exploits the vulnerability in Internet Explorer described in Microsoft security bulletin MS01-020.
Mail readers that use an Internet Explorer window to view html encoded e-mail include: Outlook, Outlook Express, and Eudora. There are likely others. The vulnerable versions of Internet Explorer are:
Internet Explorer 5.01 and 5.02 with Service Pack 2 and Internet Explorer 6 are not vulnerable. Netscape web browsers and mail readers are also not vulnerable. Text only mail readers are not vulnerable.
After the worm is establisned in a system, it searches for web servers and tries a series of directory traversal, unicode, and other attacks. All of these attacks are prevented by applying the cumulative patch kit described in Microsoft bulletin MS01-044. It also attempts to exploit changes made to a system by prior CodeRed II attacks. If the attack is successful, the worm attaches code to the ends of a random list of web pages on the server that attempt to exploit the same Internet Explorer vulnerability as was used in the mass e-mail attack. Anyone viewing these web pages with a vulnerable web browser will be infected with the worm.
The worm adds the "guest" account to compromised systems with no password and puts it in the Guest and Administrators groups. This opens a system up for anyone to login and take complete control of a system. The worm also opens the full C drive for sharing to anyone. After opening up the compromised system, the worm looks for other networked systems with shares that it can open. When it finds open shares, it attempts to spread itself by planting copies of the infected e-mail message and an infected copy of RICHED20.DLL in the shares. The library RICHED20.DLL is used by Word, Wordpad, and Outlook. If the owner of the share opens the infected e-mail or opens a Word, Wordpad, or Outlook document in that directory, the shared machine will be compromised.
Detecting an infected system is difficult with this worm as the infections are different depending on the name of the file that ran to start the infection process and the command line used to start it. The worm also actively tries to hide itself. The best way to test a system is to run an antivirus scanner on the system to test for infected files. Note that detecting readme.exe in your e-mail attachments directory may only indicate that the worm was sent to you but has not yet been executed. Finding many infected files in a system is strong evidence that it is infected.
One problem with both servers and client systems is that nimda changes the registry entries that control viewing hidden files and file extensions. When looking in a directory for files, choose the View, Folder Options, View Tab in the Windows Explorer. In the Advanced settings window, choose "Show all files", uncheck "Hide file extensions for known file types", and click OK. Check these settings whenever you search a different directory as the worm will continue to change them back to the hidden settings. In fact, if you change these settings and a few minutes later find out that for the same directory they have been changed back, that is a good indication that the worm is active in your system.
If the system in question is an IIS web server, look for admin.dll in the web server's \scripts directory. Finding admin.dll in the _vti_bin\_vti_adm directory is normal as this is the FrontPage extension for admiistering a website. It should not be found in the \scripts directory. If you open the suspect admin.dll file in notepad, you will find the strings listed in the "Detecting Infected Packet Traffic" section of this document.
Look in directories containing .DOC or .EML files and see if you can find RICHED20.DLL or README.DLL in those directories. Note that these files may be hidden and you may have to turn on viewing of hidden files to see them.
Look in the web folders that contain .HTM, .HTML, or .ASP files for README.EML.
Look for README.EXE in the mail attachments folder. Look for files in the temporary directory (\temp, \windows\temp, \winnt\temp) with the name MEP*.TMP and MEP*.TMP.EXE (the * is any random characters). These files may be hidden so you must turn on viewing of hidden files to see them. Look for LOAD.EXE in the \windows or \winnt directories. Open the \windows\system.ini file with a text editor like notepad and look for the line: "shell=explorer.exe load.exe -dontrunold". If you find any of these files, your system is infected.
Detecting infected packet traffic involves finding unique strings to look for. The following strings are detectible in the unpacked executables (admin.dll, readme.exe) and in the infected e-mail message. Some easy to spot markers are the mime tags (--====_ABC1234567890DEF_====), the string after src= in the <iframe> tag (3Dcid:EA4DMGBP9p), and the name of the attachment (name="readme.exe").
boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p>
The web server attack packets contain some well known IIS exploits. The following traffic is used to scan a web server for a vulnerability. If a server gives a positive response for any of these attacks, the worm sends over attack code that attempts to download admin.dll using tftp from the attacking site.
GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
Cleaning an infected system can be complex and depends on what antivirus product you have and whether this is a web server or client system. In some cases, especially those involving servers, it is probably simpler to format and reinstall a system than to try to disinfect and restore a system. Check your antivirus vendor for the latest disinfection instructions. A good set of detailed instructions is available from F-Secure. The following is a brief list of the steps you must go through.
| File | Operation | Location |
| *.EXE | Delete or replace infected files. | Anywhere |
| admin.dll | Delete | Root directories of disks and \scripts directory in a web server. |
| mmc.exe | Delete | \windows or \winnt |
| wininit.ini | Delete | \windows or \winnt |
| riched20.dll | Delete and replace the one in \winnt\system32 (NT) or \windows (9x) | Windows NT: \winnt\system32 Windows 9x: \windows |
| *.eml, *.ews | Delete infected files. | Anywhere |
| *.htm, *.html, *.asp | Remove virus from end or delete. | Anywhere |
| MEP*.tmp and MEP*.tmp.exe | Delete | \temp, \windows\temp, \winnt\temp |
| readme.exe | Delete | anywhere |
| readme.eml | Delete | web directories |
| load.exe | Delete | \windows or \winnt |
| system.ini | Change line: shell=explorer.exe load.exe -dontloadold to: shell=explorer.exe |
\windows or \winnt |
Again, it is better (and often easier) to reinstall the system and software than to try to clean up this worm.
A web server is vulnerable if you have not installed the security patches contained in Microsoft's security bulletin and patch MS01-044. This is actually a cumulative patch. You should keep a log of what patches you have installed and when. If you don't have a log, you may be able to tell which patches are installed by looking in the \winnt directory with hidden files turned on and find the patch uninstall directories. These directories are named $NtUninstall followed by the Microsoft Technet article number (Q####). You can look up that article number on the Microsoft website to see what patch the number represents. If you still don't know if the patch has been installed, install it again. Check all shared drives to insure that they are needed and that the permissions are appropriate. Note that on a NT server, the access permissions can be set by the share or by the NTFS file permissions. It is common practice to have an open share and then control access with restrictive NTFS file permissions.
To see if your copy of Internet Explorer is vulnerable, open Internet Explorer and choose the Help, About Internet Explorer command. In the About window that appears is listed the version of Internet Explorer, the service packs installed (SR1, SR2) and any other patches by their Microsoft Technet number (Qnnnn). If your version is 6.0 or later or your version is 5.01 or 5.5 with service pack 2 (SR2) your system is safe from the automatic running of infected e-mail and infected web pages. However, if you receive an infected e-mail and you run the attachment by hand you will be infected. Also, if you have open file shares and there is an infected server in your domain, you may be infected through the shares. Check all shared drives and directories to insure that they are needed and that the permissions are appropriate. This is especially necessary for Windows 9x systems which cannot protect shares with file permissions. These systems depend on the share permissions to protect the files.
CIAC would like to thank F-Secure and Microsoft and all the researchers world wide who contributed to our understanding of this worm.
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org