Thread: Nimda

My server IS running Linux/UNIX. It's down. I don't understand.
They said Linux was immuned to code red, et al.

rick barclay

i don't think its code red rick, is the little green light on the front of the case on?

I hate to cut and paste, because you should all be subscribing anyway.

From NTBugTraq:

Infection vectors;
- -----------------
a) Email as an attachment of MIME audio/x-wav type.
b) By browsing an infected webserver with Javascript execution
enabled and using a version of IE vulnerable to the exploits
discussed in MS01-020 (e.g. IE 5.0 or IE 5.01 without SP2).
c) Machine to machine in the form of IIS attacks (primarily
attempting to exploit vulnerabilities created by the effects of Code
Red II, but also vulnerabilities previously patched by MS00-078)
d) Highlighting either a .eml or .nws in Explorer with Active Desktop
enabled (W2K/ME/W98 by default) then the THUMBVW.DLL will execute the
file and attempt to download the README.EXE referenced in it
(depending on your IE version and zone settings).
e) Mapped drives. Any infected machine which has mapped network
drives will likely infect all of the files on the mapped drive and
its subdirectories

To prevent yourself from being infected;

a) Ensure all IE versions have applied MS01-027 (or are IE 5.01SP2 or
above)

b) Disable Active Scripting in IE

c) Ensure all IIS installations have applied MS01-044 (or at the very
least MS01-033)

d) Use the CALCS program to modify the permissions on TFTP.EXE to
remove all use;

CALCS %systemroot%/system32/tftp.exe /D Everyone
CALCS %systemroot%/system32/tftp.exe /D System

Do the same for CMD.EXE
(note, this could be tried with THUMBVM.DLL as well, haven't tried
this myself yet)

e) Ensure that TFTP is not permitted out through your network gateway
(note that newly infected machines may try and TFTP *internally* from
some other infected machine you have on your network)

f) Modify or remove;

HKEY_CLASSES_ROOT\.eml
HKEY_CLASSES_ROOT\.nws

Cleansing information;
- ---------------------

Nimda is viral, so while you can remove various files that it drops
it probably will not be cleaned completely by manual means. This
means you will have to use your AntiVirus vendor's product to
completely cleans.

a) Load.exe dropped as hidden/system file (probably in %systemroot%)
b) Riched20.dll dropped with today's date as hidden/system file.
c) Readme.exe dropped in every directory
d) Admin.dll dropped in /scripts and/or root directories (not the
_vti_bin directories of FrontPage)
e) .eml and .nws files dropped in every directory
f) Possibly modified your default home page in web dirs.
g) Infected numerous files (if not all files) with the 56kb
executable.
h) Reports of people having files lumped together into .eml files

Check with your AV Vendor regularly for updates to the cleansing
programs. I would appreciate any reports from AV Vendors as to how
complete they feel their cleaners currently are. I will do an update
later tonight based on responses.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Oh well, I was thinking of getting WinXP anyway. Hope the terrorsts are all killed by than. I'm tired of all these virus attacks.

If you wanna be immune to problems like this, then its simple. Throw your computer out the window.

You know what, you're right. Unfortunately it seems that the operating system manufacturers can not protect the public from viruses. That's just the way it is. I didn't even open an attachment. I must have gotten infected by going to some website. I'm not going to search the web anymore.

>I don't know that much about this virus but it sounds like a job for a anti virus program

what is nimda? and, wow sunlight, resourceful on the run... good job!

>Throw your computer out the window.

remember: we have a function for that...

oh, and i don't want to sound like i'm some genius that is failsafe from all virii cuz i'm a genius... but i don't ever get virii simply because my own computer use is relatively fail-safe... what practices did you, er, practice to obtain this virus?

I was lookin at my school's county website and found a link to a patch. go here: http://www.palmbeach.k12.fl.us/

>i don't think its code red rick, is the little green light on the front of the case on?<

No, I guess it was nimba. Code red isn't suppose to attack Linux,
from what I understand, admittedly not much. But, it's Wednesday
morning now, and my site is back up, so no harm done. I'm
back in business . Till next time.

rick barclay

> Unfortunately it seems that the operating system manufacturers can not protect the public from viruses.

Carefully avoiding the word 'Microsoft', hm?

As you'll have noticed, every infection vector can be patched. There's no excuse for not having MS00-078, since it's 12 months old! There's also no excuse for having IE pre v5.01 SP2, and none for having your system security levels at 'low'.

If you want to be secure, check http://www.microsoft.com/technet/mpsa/start.asp regularly, and follow the recommendations. By being up-to-date, I bypassed Code Red I and II, and this latest one. Oh, and don't open attachments unless you know what they are...

Rick, even if your machine runs Linux, it's still vulnerable to thousands of computers bombarding it with compromise requests. Did you have unusual amounts of traffic?

has anyone else noticed that it spells 'Admin' backwards ?

>Unfortunately it seems that the operating system manufacturers
can not protect the public from viruses<

openBSD... 4 security holes in 6 years... 3 fixed ones brand new so... virtually impossible to hax0r...

and Esss even if you do all that your still vunerable

>By being up-to-date, I bypassed Code Red I and II, and this latest one.<

yes mam, be up to date and skip the nasties he's right about that.

>Oh, and don't open attachments unless you know what they are... <

nailed that too.