Da es zur Zeit sehr schwirrig ist, auf die HP von Symantec zu kommen (brauchte 5 Minuten) hier der Warnhinweis von Symantec:
HABE DIESEN TEXT DURCH MEIN ÜBERSETZUNGSPROGRAMM GELASSEN. WER ES IN DEUTSCH LESEN WILL (ACHTUNG, VORHER ALKASELTZR SCHLUCKEN WEGEN KOPFWEH, IST NUR ROHÜBERSETZUNG)
In Deutsch
Symantec Security Response has received a number of submissions on W32.Nimda.A.@mm and is rating it as a Category 4.
W32.Nimda.A@mm is a new mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.
The worm uses the Unicode Web Traversal exploit. A patch and information regarding this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Users visiting compromised Web servers will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. Users can disable ´File Download´ in their internet security zones to prevent compromise.
Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.
Type: Worm
Infection Length: 57344
Virus Definitions: September 18, 2001
Threat Assessment:
Wild:
High Damage:
Medium Distribution:
High
Wild:
Number of infections: 50 - 999
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Easy
Removal: Easy
Damage:
Payload:
Large scale e-mailing: Uses MAPI to send itself out as Readme.exe (Readme.exe will NOT be visible as an attachment in the email received)
Modifies files: Replaces multiple legitimate files with itself.
Degrades performance: May cause system slowdown
Compromises security settings: Opens the C drive as a network share
Distribution:
Name of attachment: README.EXE (This file will NOT be visible as an attachment in the email received)
Size of attachment: 57344
Shared drives: Opens network shares
Target of infection: Attempts to infect unpatched IIS servers
Technical description:
Infection via Web Server
W32.Nimda.A@mm attempts to infect unpatched Microsoft IIS web servers. On Microsoft IIS 4.0 and 5.0, it is possible to construct a URL that would cause IIS to navigate to any desired folder on the logical drive that contains the web folder structure, and access files in it. A patch and information regarding this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
Successful exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as add, change or delete files or web pages on the compromised server. The limitations of the original vulnerability include:
1. The server configuration - The vulnerability only allows files to be accessed if they reside on the same logical drive as the web folders. So, for instance, if a web administrator had configured the server so that the operating system files were installed on the C: drive and the web folders were installed on the D: drive, the attacker would be unable to use the vulnerability to access the operating system files.
2. The attacker must be logged onto the server interactively.
3. The privileges gained would be only those of a locally-logged-on user. The vulnerability only would allow the malicious user to take actions in the context of the IUSR_machinename account.
However, by using the W32.Nimda.A@mm worm as a delivery mechanism, the attacker is able to compromise a vulnerable IIS server remotely and once compromised, create a local account on the targeted server with administrator privileges regardless of which drive the IIS server is installed on. The worm uses directory traversal techniques to access cmd.exe on unpatched IIS servers. The worm also attempts to use previously CodeRed II compromised IIS servers to propagate and access root.exe from the Inetpub/scripts directory.
The worm searches for web servers using randomly generated IP addresses. By using this exploit, the worm copies itself to the web server as admin.dll. This file is then executed on the web server and copied to multiple locations. The worm uses this exploit as well as attempts to exploit web servers that may have been exploited already by a hacker or another worm, which used this or other exploits. Specifically, the worm attempts to use root.exe or cmd.exe which has been placed in a remote executable directory to upload itself as admin.dll. The worm then attempts to modify .htm, .html., and .asp files on the local drive with JavaScript that causes readme.eml, which is created by the virus to be loaded by Internet Explorer and Outlook Express. This file contains the worm as an attachment, which may be executed without detaching or running the attachment.
System Modifications
When executed the worm overwrites MMC.EXE with itself. The worm then infects commonly used executables listed in the registry key:SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
The worm hooks the system by modifying the system.ini file as follows:
Shell = explorer.exe load.exe -dontrunold
and also replaces riched20.dll. Riched20.dll is a legitimate Windows .DLL used by applications such as Microsoft Word. By replacing this DLL, the worm is executed each time applications such as Microsoft Word are executed.
The worm copies itself as the file:
%Window\System%\load.exe
NOTE: %Windows\System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System) and copies itself to that location
The worm then attempts to infect files in directories on the local system that are shared with other network computers. .EXE files are infected and .EML and .NWS files are replaced by the virus.
Next, the worm creates open network shares for all drives on the computer by modifying the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$ -> Z$]
A reboot of the computer is required for these settings to take effect.
The worm searches for all open shares on the network by iterating through the Network Neighborhood. All files on any open network shares are examined for possible infection. .EXE files are infected by the worm except WINZIP32.EXE. .EML and .NWS files copied to the open network shares and the worm copies itself as riched20.dll.
Mass-Mailer
The worm begins the mass-mailing routine by first searching for email addresses. The worm searches for email addresses in .HTM and .HTML files on the local system. The worm also uses MAPI to iterate through messages in the Inbox of email clients. Any MAPI supporting email clients may be affected including Outlook (Express). The worm uses these email address for the To: and the From: addresses. Thus, the From: addresses will not be from the infected user. The worm uses its own SMTP server to send out emails using the configured DNS entry to obtain a mail server record (MX record).
Next, the worm changes Explorer settings to not show hidden files and known file extensions.
The worm adds the user guest under the groups Guests and Adminstrators thus, giving the guest account Administrative privileges. In addition, the worm actively shares C$ = C:\ No reboot is required.
When infecting files, the worm may create may temporary files in the Windows Temporary directory as:
mep[nr][nr][letter][nr].TMP.exe
mep[nr][nr][letter][nr].TMP
Both files will be hidden and have the system attribute set.
When the worm is received by email, the worm uses a old known MIME exploit to auto-execute itself. The worm will be unable to execute via Outlook (Express) if the system has been patched against this exploit. Information regarding this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Symantec Enterprise Firewall
Symantec Enterprise Firewall and Raptor Firewall will, through proper configuration, analyze HTTP requests and responses to ensure they adhere to the Requests for Comments (RFC) defining Web protocol behavior. This mechanism effectively blocks many common attacks that take advantage of protocol violations. In addition, Symantec Enterprise Firewall/Raptor Firewall version 6.5 or later can be configured to use URL pattern matching on rules to block against quantified threats on specific web server platforms.
Symantec Enterprise Security Manager (ESM)
Symantec Enterprise Security Manager is a scalable security policy compliance and host-based vulnerability assessment tool. Using this tool you can detect systems that are running IIS server, detect systems that have the web Directory Traversal Vulnerability and can also detect modified files, new files and deleted files through its ´tripwire-like´ snapshot technology. It can also detect other modifications in the registry, useful in forensic analysis. If you have not already deployed ESM within your enterprise it is of limited use in recovering from a widespread compromise like W32.Nimda.A@mm. However, it has tremendous strength in mitigating the risk of the next W32.Nimda.A@mm type worm since it enforces best practices, e.g., identifying inadequate patch levels, unneeded services, and weak passwords.
Symantec NetRecon
Symantec NetRecon is a network vulnerability assessment scanner with root cause analysis capabilities. It detects systems that are running Web services – specifically Microsoft IIS and also detect systems that have the web Directory Traversal Vulnerability.
Symantec NetProwler
NetProwler is Symantec´s network-based intrusion detection tool that continuously and transparently monitors your network for pattern of misuse or abuse. With Security Update 8 installed, NetProwler will detect the CodeRed worm and variants operating on your network. The NetProwler logs will identify each system compromised by the W32.Nimda.A@mm worm. NetProwler can also assist in forensic analysis by reviewing log entries to provide clues as to which host(s) on the network were first compromised by the worm.
Symantec Intruder Alert
Intruder Alert is a host-based Intrusion detection tool that detects unauthorized and malicious activity, keeping systems, applications, and data secure from misuse and abuse. The FileWatch function in Intruder Alert can monitor and detect mission-critical files for any changes, deletions, or movements that may have resulted from unauthorized access after W32.Nimda.A@mm compromise. In addition, Intruder Alert provides utilities to develop custom rules that can restore the compromised/changed files to their original state. Intruder Alert also monitors a system for suspicious behavior such as rootkit or DDoS agent installation, account creation, or modification. Intruder Alert can centrally manage log file events from across the network to assist in forensic analysis of compromised systems.
Removal instructions:
Symantec Security Response is currently investigating the steps necessary for removal of this worm. We will post updated information as it becomes available.
Gruss aus Luzern
Bruno
Forum bei Chainat.ch
Letzte Änderung: Chainat-Bruno am 19.09.01, 09:50
