kryten

Seems to be a new worm on the loose: known as W32.Nimda.

Details sketchy at present but it uses IIS AND Email to infect.

Any IIS server that isn't patched is vulnerable.

<B>However, servers that ARE patched may be vulnerable if the IWAM account has sufficient privalidges.</B>

If in doubt and you don't use them delete everything in the \inetpub\scripts directory.

Also may arrive as README.EXE and README.EML files may be placed on the hard disk - DO NOT open these!!

See

JackClark

This is real, I'm on a call right now sorting out details. Will post updates when I have them.

Jack Clark
Dr Solomon's/McAfee

ChrisB

Good stuff - more news ASAP please!

ChrisB.

RichB

kryten

Not sure, as I don't have McAfee to run it but it ALSO adds javascript to your webpages that force a download of the virus to any client that connects to it.......



Currently a Level 4 alert on SARC: best solution at the moment is to pull the plug!!

kryten

Also infects ANY EXE that's been accessed since the infection (and doesn't update the file's date!)......

JackClark

Best solution is never to pull the plug. Make sure your users are educated, your servers are patched and your AV software is up to date. We now have information and drivers on our web site

JackClark

Update: This threat can infect machines that have browsed an infected web page this apparently only occurs with Internet Explorer and only with certain security settings.

dsmith

Is there a signature HTTP request you can look for in Cache Logs etc.

Currently the Network I work on (large public) is being hammered by what appears to be Code Red II Spreading disappointingly fast.

Before Anyone asks we do nat have the ability or authority to insist or control waht patchcs end users apply. Its just our fault when things go **** up.

Regards

Dean

babber

This sort of thing pisses me off, why do people do this.....

It's so sad.

kryten

Yep Jack, this is a biggie!

Disinfection is going to be a real headache and will be hard to do without tools from the AV vendors:

The javascript to do the download that infects people who connect to the server is added at the end of the webpages (all htm files on the machine, but only appears to affect ASPs as they are opened).

Any EXE file that has been opened has the virus appended as a stub: this virus code runs first and then loads the actual program so users don't notice.


Creates Admin.dll on c:, d: and e:

Creates an MMC.EXE in \winnt so that gets loaded before the real MMC(!)

Also makes changes to the registry, tries to add the Guest user to the Administrators group, creates shares, puts Readme.eml files all over the place.

Seems to use TFTP to download files to the machine too.

NASTY and getting worse the more I look at it....

chelsie_uk

I got some worm my e-mail, but its crafty it came from a friend so you don't suspect it to be a worm,

then it sends emails to your friends too, its called
PE MAGISTR.DAM

so be aware its gone on my c://windowssystem in to folders.
my computers still working ok so it must be a mild one, I found it using the free scan that comes on

kryten

McAfee have just posted that they have removal available:

ChrisB

Thanks for the info Guys.

4159 DATs coming down now!

Ta,

ChrisB.

dsmith

As a service provider, am powerless to prevent or cure infection other than to inform customers with infected servers by monitoring traffic going through caches and firewalls etc. Can then track IP addresses and have them blocked until the offending boxes have been patched and cleaned.

Any detail on the signature GET requests appreciated. CERT has some detail but not alot so far.

Dean

WREXY

I'm a computer dummy and would like to know if this a type of worm that automatically infects the PC once the mail is received, or is it one of those viruses where I can delete the mail if I receive it and save the PC or whatever the worm infects?

Any comments will be, as usual, appreciated

Cheers,

Wrexy.

JackClark

Updated description with links to patches for IIS and Internet Explorer.

dowser

Anyone know why they're recommending restricting udp/69 (tftp) within the network?

Cheers
Richard

JackClark

Virus attempts to spread from machine to machine via network shares, could be something to do with it. I'm off to the lab now will find out more if you like.

ChrisB

Jack,

Just a mention but Enterprise SecureCast hasn't flagged up anything so far!

I'm on a leased line so it can check for stuff at anytime.

ChrisB.

dowser

Please - didn't think NT/IIS used this port, think I must have a duff source...trying to trace it

Cheers
Richard

ChrisB

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by ChrisB:
<B>Jack,

Just a mention but Enterprise SecureCast hasn't flagged up anything so far!

I'm on a leased line so it can check for stuff at anytime.

ChrisB.[/quote]

4160 DATs have just shown up on it but no Virus Alert yet.

dowser

Hmmm....Vigilinx alert is recommending udp/69 be shutdown/restricted...question is, why?

All I can think is as a transport medium to be used once a device is infected.

Thanks
Richard

WREXY

Kryten,

Thanks for the reply.

Cheers,

Wrexy.

ChrisB

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by dowser:
<B>Hmmm....Vigilinx alert is recommending udp/69 be shutdown/restricted...question is, why?

All I can think is as a transport medium to be used once a device is infected.

Thanks
Richard[/quote]

I think UDP/69 is TFTP.

dowser

Thanks Chris

Puff The Magic Wagon!

iTrader: (2)

F'in great

Just found out that our network has got this (c:`admin.dll etc) and IIS & Exchange out & <B>I'M ON HOLIDAY</B>

Remaining office staff have the collective technical ability of a stoat

Looks like I might be going to work today

kryten

Firstly, (and we may have made a mistake as its midnight) these latest DATs appear to DELETE any infected EXEs rather than CLEAN them, so use with EXTREME care.

The more you have used a machine that's infected, the more files that will have been infected with the virus.

As for a sig check the logs for:
GET /scripts/root.exe /c+dir

WREXY - not sure about this one. It transfers the attachment as if it were a WAV file so it _may_ be able to execute on OPENING the email (not 100% certain, but looks possible).

Also, depending on IE settings, if you browse to an infected site it MAY run the infection program without asking you about it.....

BEWARE!!

ChrisB

The joys of an all nighter!

The BBC News reckon's 9x / ME isn't susceptible. Doh!

ChrisB.

kryten

Unfortunately Chris, I reckon they ARE!

Maybe not to the IIS infection attempt.

However, the Email payload or connecting to an infected website will probably infect them.

Certainly McAfee state its Win9x/NT/2k/Me.

They now have new DATs that specifically claim to repair infected EXEs