Updated mitigators and cleansing of Nimda

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 09/19/01 

Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F1F14F0@muskie.rc.on.ca>
Date:         Tue, 18 Sep 2001 18:19:13 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Updated mitigators and cleansing of Nimda
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----

Infection vectors;
- -----------------
a) Email as an attachment of MIME audio/x-wav type.
b) By browsing an infected webserver with Javascript execution
enabled and using a version of IE vulnerable to the exploits
discussed in MS01-020 (e.g. IE 5.0 or IE 5.01 without SP2).
c) Machine to machine in the form of IIS attacks (primarily
attempting to exploit vulnerabilities created by the effects of Code
Red II, but also vulnerabilities previously patched by MS00-078)
d) Highlighting either a .eml or .nws in Explorer with Active Desktop
enabled (W2K/ME/W98 by default) then the THUMBVW.DLL will execute the
file and attempt to download the README.EXE referenced in it
(depending on your IE version and zone settings).
e) Mapped drives. Any infected machine which has mapped network
drives will likely infect all of the files on the mapped drive and
its subdirectories

To prevent yourself from being infected;

a) Ensure all IE versions have applied MS01-027 (or are IE 5.01SP2 or
above)

b) Disable Active Scripting in IE

c) Ensure all IIS installations have applied MS01-044 (or at the very
least MS01-033)

d) Use the CALCS program to modify the permissions on TFTP.EXE to
remove all use;

CALCS %systemroot%/system32/tftp.exe /D Everyone
CALCS %systemroot%/system32/tftp.exe /D System

Do the same for CMD.EXE
(note, this could be tried with THUMBVM.DLL as well, haven't tried
this myself yet)

e) Ensure that TFTP is not permitted out through your network gateway
(note that newly infected machines may try and TFTP *internally* from
some other infected machine you have on your network)

f) Modify or remove;

HKEY_CLASSES_ROOT\.eml
HKEY_CLASSES_ROOT\.nws

Cleansing information;
- ---------------------

Nimda is viral, so while you can remove various files that it drops
it probably will not be cleaned completely by manual means. This
means you will have to use your AntiVirus vendor's product to
completely cleans.

a) Load.exe dropped as hidden/system file (probably in %systemroot%)
b) Riched20.dll dropped with today's date as hidden/system file.
c) Readme.exe dropped in every directory
d) Admin.dll dropped in /scripts and/or root directories (not the
_vti_bin directories of FrontPage)
e) .eml and .nws files dropped in every directory
f) Possibly modified your default home page in web dirs.
g) Infected numerous files (if not all files) with the 56kb
executable.
h) Reports of people having files lumped together into .eml files

Check with your AV Vendor regularly for updates to the cleansing
programs. I would appreciate any reports from AV Vendors as to how
complete they feel their cleaners currently are. I will do an update
later tonight based on responses.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6fIYRBh2Kw/l7p5AQE/ugQAx8+paBZ9jdt5ikstAU9QNHRYfhdDzQ55
1n03W3lH9vEgl2uFZ1NooASAAC1zsO/yeKJcftvjHWosBdXVNNYV3RcRgZ63hvdY
7DlgfuYpBXOPQHCBuQuh0yPOBUbtMJjnEX+d/8opifv18VPbCEWUg8NV5OiFIlEi
6NOlaobfFR4=
=U1y0
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================

Relevant Pages

  • Re: How can I confirm and remove Win32.Virut.A ?
    ... Is there a way for me to manualy verify that this infection exists. ... Win32.Virut.A is an appending virus. ... The encrypted code contains IRCBot functionality. ... execution* of the binary. ...
    (alt.comp.anti-virus)
  • Re: For Roy - Gone Mad
    ... On this occasion the list has it right; I'm afraid you have mis-read the news report. ... The mention of infection control was an afterthought, hastily added as a forlorn attempt to justify a crassly stupid action. ... If charades are made at all, they should be made without the benefit of clergy, the offender should instantly be hurried off to execution, and to be cut off in the middle of his dullness, without being allowed to explain to the executioner why his first is like second, or what the resemblance between his fourth and his ninth is. ...
    (soc.genealogy.britain)
  • RE: CodeBlue finally hitting, or what?
    ... Updated mitigators and cleansing of Nimda ... Infection vectors; ... Any infected machine which has mapped network ...
    (Incidents)
  • Re: Virus by e-mail : Swen
    ... The 'swen' worm running on an infected machine sent that e-mail. ... addresses it harvests from infected machine and networks. ... you can proof your system against infection, ...
    (microsoft.public.security.virus)
  • Re: I-Worm.NetSky.t
    ... > sending messages from my accounts, and I keep also getting messgaes ... When an infected machine starts ... the source of the infection is masked (to the ... identify the originating host, and so possibly the originating, infected, ...
    (microsoft.public.mac.office.entourage)