ALERT: NEW WORM
#1
Seems to be a new worm on the loose: known as W32.Nimda.
Details sketchy at present but it uses IIS AND Email to infect.
Any IIS server that isn't patched is vulnerable.
<B>However, servers that ARE patched may be vulnerable if the IWAM account has sufficient privalidges.</B>
If in doubt and you don't use them delete everything in the \inetpub\scripts directory.
Also may arrive as README.EXE and README.EML files may be placed on the hard disk - DO NOT open these!!
See
Details sketchy at present but it uses IIS AND Email to infect.
Any IIS server that isn't patched is vulnerable.
<B>However, servers that ARE patched may be vulnerable if the IWAM account has sufficient privalidges.</B>
If in doubt and you don't use them delete everything in the \inetpub\scripts directory.
Also may arrive as README.EXE and README.EML files may be placed on the hard disk - DO NOT open these!!
See
#5
Not sure, as I don't have McAfee to run it but it ALSO adds javascript to your webpages that force a download of the virus to any client that connects to it.......
Currently a Level 4 alert on SARC: best solution at the moment is to pull the plug!!
Currently a Level 4 alert on SARC: best solution at the moment is to pull the plug!!
#7
Scooby Senior
Best solution is never to pull the plug. Make sure your users are educated, your servers are patched and your AV software is up to date. We now have information and drivers on our web site
Trending Topics
#8
Scooby Senior
Update: This threat can infect machines that have browsed an infected web page this apparently only occurs with Internet Explorer and only with certain security settings.
#9
Is there a signature HTTP request you can look for in Cache Logs etc.
Currently the Network I work on (large public) is being hammered by what appears to be Code Red II Spreading disappointingly fast.
Before Anyone asks we do nat have the ability or authority to insist or control waht patchcs end users apply. Its just our fault when things go **** up.
Regards
Dean
Currently the Network I work on (large public) is being hammered by what appears to be Code Red II Spreading disappointingly fast.
Before Anyone asks we do nat have the ability or authority to insist or control waht patchcs end users apply. Its just our fault when things go **** up.
Regards
Dean
#11
Yep Jack, this is a biggie!
Disinfection is going to be a real headache and will be hard to do without tools from the AV vendors:
The javascript to do the download that infects people who connect to the server is added at the end of the webpages (all htm files on the machine, but only appears to affect ASPs as they are opened).
Any EXE file that has been opened has the virus appended as a stub: this virus code runs first and then loads the actual program so users don't notice.
Creates Admin.dll on c:, d: and e:
Creates an MMC.EXE in \winnt so that gets loaded before the real MMC(!)
Also makes changes to the registry, tries to add the Guest user to the Administrators group, creates shares, puts Readme.eml files all over the place.
Seems to use TFTP to download files to the machine too.
NASTY and getting worse the more I look at it....
Disinfection is going to be a real headache and will be hard to do without tools from the AV vendors:
The javascript to do the download that infects people who connect to the server is added at the end of the webpages (all htm files on the machine, but only appears to affect ASPs as they are opened).
Any EXE file that has been opened has the virus appended as a stub: this virus code runs first and then loads the actual program so users don't notice.
Creates Admin.dll on c:, d: and e:
Creates an MMC.EXE in \winnt so that gets loaded before the real MMC(!)
Also makes changes to the registry, tries to add the Guest user to the Administrators group, creates shares, puts Readme.eml files all over the place.
Seems to use TFTP to download files to the machine too.
NASTY and getting worse the more I look at it....
#12
I got some worm my e-mail, but its crafty it came from a friend so you don't suspect it to be a worm,
then it sends emails to your friends too, its called
PE MAGISTR.DAM
so be aware its gone on my c://windowssystem in to folders.
my computers still working ok so it must be a mild one, I found it using the free scan that comes on
then it sends emails to your friends too, its called
PE MAGISTR.DAM
so be aware its gone on my c://windowssystem in to folders.
my computers still working ok so it must be a mild one, I found it using the free scan that comes on
#15
As a service provider, am powerless to prevent or cure infection other than to inform customers with infected servers by monitoring traffic going through caches and firewalls etc. Can then track IP addresses and have them blocked until the offending boxes have been patched and cleaned.
Any detail on the signature GET requests appreciated. CERT has some detail but not alot so far.
Dean
Any detail on the signature GET requests appreciated. CERT has some detail but not alot so far.
Dean
#16
Scooby Regular
Join Date: Feb 2001
Location: Greece, previously Syd Australia
Posts: 2,833
Likes: 0
Received 0 Likes
on
0 Posts
I'm a computer dummy and would like to know if this a type of worm that automatically infects the PC once the mail is received, or is it one of those viruses where I can delete the mail if I receive it and save the PC or whatever the worm infects?
Any comments will be, as usual, appreciated
Cheers,
Wrexy.
Any comments will be, as usual, appreciated
Cheers,
Wrexy.
#19
Scooby Senior
Virus attempts to spread from machine to machine via network shares, could be something to do with it. I'm off to the lab now will find out more if you like.
#22
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by ChrisB:
<B>Jack,
Just a mention but Enterprise SecureCast hasn't flagged up anything so far!
I'm on a leased line so it can check for stuff at anytime.
ChrisB.[/quote]
4160 DATs have just shown up on it but no Virus Alert yet.
<B>Jack,
Just a mention but Enterprise SecureCast hasn't flagged up anything so far!
I'm on a leased line so it can check for stuff at anytime.
ChrisB.[/quote]
4160 DATs have just shown up on it but no Virus Alert yet.
#23
Scooby Senior
Join Date: Oct 2000
Location: Zurich, Switzerland
Posts: 3,105
Likes: 0
Received 0 Likes
on
0 Posts
Hmmm....Vigilinx alert is recommending udp/69 be shutdown/restricted...question is, why?
All I can think is as a transport medium to be used once a device is infected.
Thanks
Richard
All I can think is as a transport medium to be used once a device is infected.
Thanks
Richard
#25
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by dowser:
<B>Hmmm....Vigilinx alert is recommending udp/69 be shutdown/restricted...question is, why?
All I can think is as a transport medium to be used once a device is infected.
Thanks
Richard[/quote]
I think UDP/69 is TFTP.
<B>Hmmm....Vigilinx alert is recommending udp/69 be shutdown/restricted...question is, why?
All I can think is as a transport medium to be used once a device is infected.
Thanks
Richard[/quote]
I think UDP/69 is TFTP.
#28
Firstly, (and we may have made a mistake as its midnight) these latest DATs appear to DELETE any infected EXEs rather than CLEAN them, so use with EXTREME care.
The more you have used a machine that's infected, the more files that will have been infected with the virus.
As for a sig check the logs for:
GET /scripts/root.exe /c+dir
WREXY - not sure about this one. It transfers the attachment as if it were a WAV file so it _may_ be able to execute on OPENING the email (not 100% certain, but looks possible).
Also, depending on IE settings, if you browse to an infected site it MAY run the infection program without asking you about it.....
BEWARE!!
The more you have used a machine that's infected, the more files that will have been infected with the virus.
As for a sig check the logs for:
GET /scripts/root.exe /c+dir
WREXY - not sure about this one. It transfers the attachment as if it were a WAV file so it _may_ be able to execute on OPENING the email (not 100% certain, but looks possible).
Also, depending on IE settings, if you browse to an infected site it MAY run the infection program without asking you about it.....
BEWARE!!
#30
Unfortunately Chris, I reckon they ARE!
Maybe not to the IIS infection attempt.
However, the Email payload or connecting to an infected website will probably infect them.
Certainly McAfee state its Win9x/NT/2k/Me.
They now have new DATs that specifically claim to repair infected EXEs
Maybe not to the IIS infection attempt.
However, the Email payload or connecting to an infected website will probably infect them.
Certainly McAfee state its Win9x/NT/2k/Me.
They now have new DATs that specifically claim to repair infected EXEs