W32.Nimda.A@mm<BR>Discovered on: September 18, 2001<BR>Last Updated on: September 19, 2001 at 12:43:17 AM PDT<P>[Printer-friendly version] Printer-friendly version Tell a Friend<P>Symantec Security Response has received a number of submissions on W32.Nimda.A@mm and is rating it as a Category 4.<P>W32.Nimda.A@mm is a new mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.<P>The worm uses the Unicode Web Traversal exploit. A patch and information regarding this exploit can be found at <A HREF="http://www.microsoft.com/technet/security/bulletin/ms00-078.asp." TARGET=_blank>http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.</A> <P>When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at <A HREF="http://www.microsoft.com/technet/security/bulletin/MS01-020.asp" TARGET=_blank>http://www.microsoft.com/technet/security/bulletin/MS01-020.asp</A> <P>Users visiting compromised Web servers will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. This .eml file also uses the aforementioned MIME exploit. Users can disable 'File Download' in their internet security zones to prevent compromise.<P>Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.<P>Type: Virus, Worm<P>Infection Length: 57344<P>Virus Definitions: September 18, 2001<P>Threat Assessment:<P>[High] [Medium] [High]<BR>Wild:<BR>High Damage:<BR>Medium Distribution:<BR>High<BR><http://www.symantec.com/avcenter/graphics/black.gif><P>Wild:<P> * Number of infections: More than 1000<BR> * Number of sites: More than 10<BR> * Geographical distribution: Medium<BR> * Threat containment: Moderate<BR> * Removal: Moderate<P>Damage:<P> * Payload:<BR> * Large scale e-mailing: Uses MAPI to send itself out as Readme.exe (Readme.exe will NOT be visible as an attachment in the email received)<BR> * Modifies files: Replaces multiple legitimate files with itself.<BR> * Degrades performance: May cause system slowdown<BR> * Compromises security settings: Opens the C drive as a network share<P>Distribution:<P> * Name of attachment: README.EXE (This file will NOT be visible as an attachment in the email received)<BR> * Size of attachment: 57344<BR> * Shared drives: Opens network shares<BR> * Target of infection: Attempts to infect unpatched IIS servers<P>Technical description:<P><BR>Infection via Web Server<P>W32.Nimda.A@mm attempts to infect unpatched Microsoft IIS web servers. On Microsoft IIS 4.0 and 5.0, it is possible to construct a URL that would cause IIS to navigate to any desired folder on the logical drive that contains the web folder structure, and access files in it. A patch and information regarding this exploit can be found at <A HREF="http://www.microsoft.com/technet/security/bulletin/ms00-078.asp." TARGET=_blank>http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.</A> <P>Successful exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as add, change or delete files or web pages on the compromised server. The limitations of the original vulnerability include:<P> 1. The server configuration. The vulnerability only allows files to be accessed if they reside on the same logical drive as the web folders. For example, if a Web administrator had configured the server so that the operating system files were installed on the C drive and the Web folders were installed on the D drive, the attacker would be unable to use the vulnerability to access the operating system files.<BR> 2. The attacker must be logged onto the server interactively.<BR>3. The privileges gained would be only those of a locally-logged-on user. The vulnerability only would allow the malicious user to take actions in the context of the IUSR_machinename account.<P><BR>However, by using the W32.Nimda.A@mm worm as a delivery mechanism, the attacker is able to compromise a vulnerable IIS server remotely and once compromised, create a local account on the targeted server with administrator privileges regardless of which drive the IIS server is installed on. The worm uses directory traversal techniques to access cmd.exe on unpatched IIS servers. The worm also attempts to use previously CodeRed II compromised IIS servers to propagate and access root.exe from the Inetpub/scripts directory.<P>The worm searches for web servers using randomly generated IP addresses. By using this exploit, the worm copies itself to the web server as admin.dll. This file is then executed on the web server and copied to multiple locations. The worm uses this exploit as well as attempts to exploit web servers that may have been exploited already by a hacker or another worm, which used this or other exploits.<P>Specifically, the worm attempts to use root.exe or cmd.exe which has been placed in a remote executable directory to upload itself as admin.dll. The worm then attempts to modify .htm, .html., and .asp files on the local drive with JavaScript that causes readme.eml, which is created by the virus to be loaded by Internet Explorer and Outlook Express. This file contains the worm as an attachment, which may be executed without detaching or running the attachment.<P>System Modifications<P>When executed the worm determines from where it is being executed. The worm then overwrites MMC.EXE in the Windows Directory or creates a copy of itself in the Windows Temporary Directory.<P>The worm then infects commonly used executables listed in the registry keys:<P>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths<BR>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders<P>The worm hooks the system by modifying the system.ini file as follows:<P>Shell = explorer.exe load.exe -dontrunold<P>It also replaces the file Riched20.dll. Riched20.dll is a legitimate Windows .DLL used by applications such as Microsoft Word. By replacing this DLL, the worm is executed each time applications such as Microsoft Word are executed.<P>The worm copies itself as the file:<P>%Windows\System%\load.exe<P>NOTE: %Windows\System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System) and copies itself to that location<P>The worm then attempts to modify files with the extension .htm, .html., and .asp or filenames matching default, index, main and readme on the local system that are shared with other network computers. .EXE files are infected and .EML and .NWS files are replaced by the virus.<P>Next, the worm creates open network shares for all drives on the computer by modifying the registry key:<P>HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$ -> Z$]<P>A reboot of the computer is required for these settings to take effect.<P>The worm searches for all open shares on the network by iterating through the Network Neighborhood. All files on any open network shares are examined for possible infection. .EXE files are infected by the worm except WINZIP32.EXE. .EML and .NWS files are copied to the open network shares and the worm copies itself over as riched20.dll to any directory with .DOC files.<P>During execution, the worm may attempt to delete copies of itself. If the file is in use or locked, the worm will create WININIT.INI with an entry to delete itself upon reboot.<P>The worm contains bugs and can be resource intensive. Thus, not all actions may occur and system instability may be noticable.<P>Mass-Mailer<P>The worm begins the mass-mailing routine by first searching for email addresses. The worm searches for email addresses in .htm and .html files on the local system. The worm also uses MAPI to iterate through messages in the Inbox of email clients. Any MAPI supporting email clients may be affected including Microsoft Outlook and Outlook Express. The worm uses these email address for the To: and the From: addresses. Thus, the From: addresses will not be from the infected user.<P>The worm uses its own SMTP server to send out emails using the configured DNS entry to obtain a mail server record (MX record).<P>Next, the worm changes Explorer settings to not show hidden files and known file extensions.<P>The worm adds the user guest under the groups Guests and Adminstrators thus, giving the guest account Administrative privileges. In addition, the worm actively shares C$ = C:\ No reboot is required.<P>When infecting files, the worm may create may temporary files in the Windows Temporary directory as:<P> * mep[nr][nr][letter][nr].TMP.exe<BR> * mep[nr][nr][letter][nr].TMP<P><BR>Both files will be hidden and have the system attribute set.<P>When the worm is received by email, the worm uses a old known MIME exploit to auto-execute itself. The worm will be unable to execute via Outlook (Express) if the system has been patched against this exploit. Information regarding this exploit can be found at <A HREF="http://www.microsoft.com/technet/security/bulletin/MS01-020.asp" TARGET=_blank>http://www.microsoft.com/technet/security/bulletin/MS01-020.asp</A> <P>Symantec Enterprise Firewall<BR>Symantec Enterprise Firewall and Raptor Firewall will, through proper configuration, analyze HTTP requests and responses to ensure they adhere to the Requests for Comments (RFC) defining Web protocol behavior. This mechanism effectively blocks many common attacks that take advantage of protocol violations. In addition, Symantec Enterprise Firewall/Raptor Firewall version 6.5 or later can be configured to use URL pattern matching on rules to block against quantified threats on specific web server platforms.<P>Symantec Enterprise Security Manager (ESM)<BR>Symantec Enterprise Security Manager is a scalable security policy compliance and host-based vulnerability assessment tool. Using this tool you can detect systems that are running IIS server, detect systems that have the web Directory Traversal Vulnerability and can also detect modified files, new files and deleted files through its 'tripwire-like' snapshot technology. It can also detect other modifications in the registry, useful in forensic analysis. If you have not already deployed ESM within your enterprise it is of limited use in recovering from a widespread compromise like W32.Nimda.A@mm. However, it has tremendous strength in mitigating the risk of the next W32.Nimda.A@mm type worm since it enforces best practices, e.g., identifying inadequate patch levels, unneeded services, and weak passwords.<P>Symantec NetRecon<BR>Symantec NetRecon is a network vulnerability assessment scanner with root cause analysis capabilities. It detects systems that are running Web services ? specifically Microsoft IIS and also detect systems that have the web Directory Traversal Vulnerability.<P>Symantec NetProwler<BR>NetProwler is Symantec's network-based intrusion detection tool that continuously and transparently monitors your network for pattern of misuse or abuse. With Security Update 8 installed, NetProwler will detect the CodeRed worm and variants operating on your network. The NetProwler logs will identify each system compromised by the W32.Nimda.A@mm worm. NetProwler can also assist in forensic analysis by reviewing log entries to provide clues as to which host(s) on the network were first compromised by the worm.<P>Symantec Intruder Alert<BR>Intruder Alert is a host-based Intrusion detection tool that detects unauthorized and malicious activity, keeping systems, applications, and data secure from misuse and abuse. The FileWatch function in Intruder Alert can monitor and detect mission-critical files for any changes, deletions, or movements that may have resulted from unauthorized access after W32.Nimda.A@mm compromise. In addition, Intruder Alert provides utilities to develop custom rules that can restore the compromised/changed files to their original state. Intruder Alert also monitors a system for suspicious behavior such as rootkit or DDoS agent installation, account creation, or modification. Intruder Alert can centrally manage log file events from across the network to assist in forensic analysis of compromised systems.<P>Removal instructions:<P> 1. Run LiveUpdate to make sure that you have the most recent virus definitions.<BR> 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instruction on how to do this, read the document How to configure Norton AntiVirus to scan all files.<BR> 3. Run a full system scan.<BR> 4. If any files are detected as infected by W32.Nimda.A@mm or W32.Nimda.A@mm (html), click Repair.<BR> 5. If any files are detected as infected by W32.Nimda.A@mm (dr) or W32.Nimda.A@mm (dll), click Delete.<BR> 6. Reboot the computer.<BR> 7. Repeat steps 1-6 above until no more files are detected as W32.Nimda.A@mm.<BR> 8. Delete the following text from the Shell= entry in system.ini: load.exe -dontrunold<BR> 9. Remove unnecessary shares.<BR>10. Delete the guest account from the Administrators group (if applicable)