New (More) Annoying Microsoft Worm Hits Net

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Is this just the old Unicode exploit?

Or is it something new?

Looks like an exploit that's been around for a while (way before CR)

Ask them for /etc/passwd!!

That's it! i'm sick of all these worms trying to get cmd.exe when i'm running linux! I'm gonna collect their IPs and flood them with requests for /etc/passwd!!!! If you want to contribute IPs or bandwidth, join the Passwd Flood Network (PFN)!! :)

Bleah...my firewall logs all of this...

And it suddenly had to back up once a week after Code Red started thwacking my machine. Perhaps I should write a script to exploit the root-hack and shut down the affected machines so that the local cable circuit won't be clogged with that crap. I can't imagine how bad this will get.

It's not like @Home (in my area) is doing *anything* to stop this. I really think that they should be policing for such disruptive activities and informing their customers when unsecured machines on their network are comprimised.

Re:Bleah...my firewall logs all of this...

Jeez - I'm ssh'd into my home linux box. Thought I'd check out a few of the infected machines... by pasting the ip's into IE5.5 on my laptop.

Duh! Flipping back and forth between the sites, Slashdot, ssh, answering the phone and guzzling coffee, I didn't notice that IE was crashing, Norton antivirus was triggering... shit.

I'm an idiot. Okay - have I infected my machine? I'm afraid I've been automatically triggering 'readme.eml'. I'm running NT4.0 sp6.

408 worm too?

I'm seeing massive numbers of timed out requests on my sytems this morning. It started at exactly 9:06 eastern time.

I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.

Brian

'Fuck USA' is sadmind

The 'Fuck PoisonBox' you're getting is due to the Sadmind virus.

More at:
http://www.symantec.com/avcenter/venc/data/backdoo r.sadmind.html [symantec.com]

Wrong name

The 208.x.x.x is similiar to Code Red in that it attempts to scan local subnets (I bet you are have a 208.x.x.x IP); therefore, naming it 208 is only good for those in your Class A. We have received attempts from over 100 hosts infected with the Code Red 2 worm, starting from the local class C, then class B, and now class A and others. It appears to be attempting to find rooter servers, for what purpose I can only imagine.

Re:Wrong name

it originally started in just the 63.174 for me. Now it is hitting me from all over the place. It is really nasty b/c of the number of requests that each machine sends out.

I was surfing some porn sites this morning and they seemed horribly affected (none of the images would load and they were slow as hell).

ugh. Just when you thought it was safe to disable "assholes_log".

Re:Wrong name

<replying to myself>
If you try to access a vulnerable server it attempts to send you a 'readme.eml' file with a .wav content type. This file (using strings) appears to contain numerous registry entries plus all the strings used to find and infect other servers.

Re:How to stop Internet Explorer executing said wa

NO! Here's what wget showed me for one host:

[message/rfc822]

So this thing is really evil:

1. it uses many forms of attack
2. it attacks server _and_ clients
3. it propagates by tftping the load from altering hosts (probably from the host which
did the attack before)
4. it alters the content type for the client infection via http+IE

here's more output

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.

Re:here's more output

...including what looks like an attempt to exploit boxes still rooted by Code Red

Assuming that refers to this:

"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

then that's an exploit for Code Red II [f-secure.com] infected machines, not the original Code Red.

Re:yup!

We got nailed. Apparently if you apply hotfixes, patches, SPs in the wrong order, it undoes previous fixes...

Wrong way:
Service Pack 6A
IIS cumulative rollup patch
Post SP6A security rollup patch

Right way:
Service Pack 6a
Post-SP6a Security Roll-up
IIS Cumulative Patch

We thought we were covered. Nope. :-(

(reference, focus-ms mailing list)

What's the problem?

Why won't someone port these to linux? Microsoft Operating Systems seem to have a monopoly in this field. For now, if you read this in a *nix, just portscan your netmask and a few others and try a few old wu-ftp exploits.

"You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?

It looks like Code Blue from here

Security focus [securityfocus.com] has some information on it, we're seeing shedloads of hits at the moment :(

Outlook Express 6.0 can prevent spread

With the new Outlook Express 6.0, you can now prevent the user from opening any attchments.

Here is how it is done:

Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"

Re:Outlook Express 6.0 can prevent spread

Yeah. If you turn that on, it will warn you that .txt files or .gif files are potentially viral, while letting through .doc and other formats that are "known" (lmao) to be safe - or rather, MS formats.

Actually, it is such a stupid check, it almost makes things worse instead.

Too Slow

Damn. I just got an e-mail from my ISP (corporate LAN/WAN) telling us of this. Here's their text:

~~~~~~~~~~~~~
Many ISPs, including [ISP], are under attack by a new worm that appears to be related to the recent CodeRed worm. This worm attacks Microsoft web servers via a known vulnerability and seeks to replicate itself by searching for other vulnerable servers.
The traffic caused by this worm has caused severe network problems worlwide this morning (18 Sep 2001) according to many ISP-related mailing lists. More information will be sent to this announcement list as it becomes available.
~~~~~~~~~~~~~

OK, so they say it's a Code-Redish bug. According to Taco's post, it's not even close (sort of).

I'm using *NIX/Apache.
I'm not gonna worry about this one (yet again...). Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS...
(or at least, apply the damn patch already)

Yep, we're seeing them here too.

David Korpiewski, our Windoze martyr, is hard at work on this one (I Don't Do Windows:-), and had this to say:

Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml", "readme.eml", etc.

A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug [guninski.com] out for IE5 that will auto execute any given .eml file.

Damn...just submitted this story...

Anyways here's the sequence of attempts it makes, trying to capitalize on old worms that weren't cleaned up properly, as well as known unicode exploits.

2001-09-18 15:10:19 *.*.*.* GET /scripts/root.exe 404 701 72 0 - -

2001-09-18 15:10:19 *.*.*.* GET /MSADC/root.exe 404 701 70 0 - -

2001-09-18 15:10:19 *.*.*.* GET /c/winnt/system32/cmd.exe 404 701 80 0 - -

2001-09-18 15:10:19 *.*.*.* GET /d/winnt/system32/cmd.exe 404 701 80 0 - -

2001-09-18 15:10:19 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 96 10 - -

2001-09-18 15:10:19 *.*.*.* GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe 404 701 117 10 - -

2001-09-18 15:10:20 *.*.*.* GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe 404 701 117 0 - -

2001-09-18 15:10:20 *.*.*.* GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../ winnt/system32/cmd.exe 404 701 145 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/..Á../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/winnt/system32/cmd.exe 404 701 97 10 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/../../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/..\../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 98 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 96 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 100 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%2f../winnt/system32/cmd.exe 404 701 96 0 - -

Furthermore every attacking system was in the same 255.0.0.0/8 as the target system so it appears to target in the same "Class A" address (of course in this case it's 216.x.x.x so it's not really Class A, but you get the point).

More Info

When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.

I'll take a look at Admin.dll later today.

Worm Un-named no longer

From NTBugTraq

w32.nimda.amm

Info FromRuss at BugTraq

-----BEGIN PGP SIGNED MESSAGE-----

There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the network.

A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)

The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMM DU ChVqn6yReQXqEH
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJ Uu pDHB1Yy1DY/po6
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQja mK I2eqd4TdE0yfIO
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----