Re: Removing the W32.Nimda.A@mm from Windows 95/98

From: Nick FitzGerald (nick@VIRUS-L.DEMON.CO.UK)
Date: 09/19/01


Message-ID:  <200109190035.MAA04518@fep3-orange.clear.net.nz>
Date:         Wed, 19 Sep 2001 12:35:06 +1200
From: Nick FitzGerald <nick@VIRUS-L.DEMON.CO.UK>
Subject:      Re: Removing the W32.Nimda.A@mm from Windows 95/98
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Dan Browder <danb@PROXY.HORIZONDISPLAYS.COM> wrote:

> There are more steps to take:
>
> Win98 may backup system.ini in:
> c:\windows\sysbckup\rb000.cab (001.cab etc)
>
> which would contain the infected system.ini

Technically, that file is not "infected" -- just modified. If that
SYSTEM.INI is restored and there is no LOAD.EXE it refers to to run,
then nothing happens (well, maybe an error is displayed??).

<<snip>>
> Along with riched20.dll, you also need to delete or restore MAPI.DLL,
> possibly winzip32.exe
>
> Other possible infected files to check (these may be Win2k only)
>
> winzip32.exe

Actually, it seems that Nimda *avoids* infecting winzip32.exe --
probably because it is the only common Win32 EXE that is well-known
to do a self-integrity check.

> riched20.dll
> MAPI32.DLL
> MPR.DLL
> mmc.exe
> system.ini
> load.exe
>
> I pulled those out of the load.exe executable.
>
> c: readme main index default html .asp .htm \readme.eml .exe
> mep
>
> The above line, in load.exe makes me assume that on an IIS box it will
> replace the default page with readme.eml

It patches a reference into the end of the page, causing vulnerable
browsers (basically all IE before 5.1sp2 I think) to automaticaly
download and run the viral EXE from the server.

> Search the entire box for *.eml, *.nws, readme*.exe, load.exe and delete all
> instances, search all network shares which are open to this box for *.eml,
> *.nws, readme*.exe, load.exe and any of the above files. Check their dates
> and sizes against a clean box.
>
> The filenames for the EML and NWS files seem to be random files on the
> drive, but may be coming from a Recent Documents List.
>
> We've only had one infected computer, which was Win98, but it spread files
> to shares on Win2k, NT4 and Macintosh using the DAVE file sharing product.
> It also replaced riched20.dll on a seperate NT4 box.

Yep -- open shares and any shares writable by staff that are not
utterly trustable to make the right decision 100% of the time will
also have been targetted by Nimda should it have been run inside
your LAN.

Nimdas quite clearly shows why scanning-based approaches to virus
"prevention" are a fools paradise. If anyone is pissed that this
happened to them, then they should be asking "Why are our systems set
up so shoddily?" and then will hopefully realize that a large part of
the answer to that is that neither Operating systems *nor* third-
party security product nor systems management software developers
have provided adequate integrity management tools.

If you want *prevention* known virus scanners will never be adequate.
How many more incidents like Nimda can you afford before you will
have to change the way your systems are administered and change the
way your users use them?

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

============================================================================ Delivery co-sponsored by Trend Micro, Inc. ============================================================================ TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for Exchange. ScanMail is the first antivirus solution that seamlessly integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail ensures 100% inbound and outbound email virus scanning and provides remote software management. Download a FREE 30-day trial copy of ScanMail and find out why it is the best: http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000 ============================================================================



Relevant Pages