PDA

View Full Version : Nimda



Pages : [1] 2

Unregistered
09-18-2001, 01:58 PM
I have this virus called Nimda. I went to microsoft.com but their fix does not work. They say that if you have service pack 2 than you shouldn't have the virus. Well I have SP2 and Win2k and I do have the virus!

Can I just delete the files? I can see the .dll file on my C drive for example but there are something like 41 other files.

barjor
09-18-2001, 03:50 PM
I don't know that much about this virus but it sounds like a job for a anti virus program

~Barjor

Unregistered
09-18-2001, 04:09 PM
It's going to be announced on the National news. I heard about it from the US government this afternoon.

I still have the virus on my computer. At the Norton website they say that they are working on it. As of this moment there is no cure. Microsoft thinks that you can't get the virus if you have service pack 2, but they are dead wrong.

During these rare times I wish I was running Linux although I'd need a lot more pain in order to get me to do that.

rick barclay
09-18-2001, 04:23 PM
My server IS running Linux/UNIX. It's down. I don't understand.
They said Linux was immuned to code red, et al. :confused:

rick barclay

no-one
09-18-2001, 04:25 PM
i don't think its code red rick, is the little green light on the front of the case on?

Esss
09-18-2001, 04:44 PM
I hate to cut and paste, because you should all be subscribing anyway.

From NTBugTraq:


Infection vectors;
- -----------------
a) Email as an attachment of MIME audio/x-wav type.
b) By browsing an infected webserver with Javascript execution
enabled and using a version of IE vulnerable to the exploits
discussed in MS01-020 (e.g. IE 5.0 or IE 5.01 without SP2).
c) Machine to machine in the form of IIS attacks (primarily
attempting to exploit vulnerabilities created by the effects of Code
Red II, but also vulnerabilities previously patched by MS00-078)
d) Highlighting either a .eml or .nws in Explorer with Active Desktop
enabled (W2K/ME/W98 by default) then the THUMBVW.DLL will execute the
file and attempt to download the README.EXE referenced in it
(depending on your IE version and zone settings).
e) Mapped drives. Any infected machine which has mapped network
drives will likely infect all of the files on the mapped drive and
its subdirectories

To prevent yourself from being infected;

a) Ensure all IE versions have applied MS01-027 (or are IE 5.01SP2 or
above)

b) Disable Active Scripting in IE

c) Ensure all IIS installations have applied MS01-044 (or at the very
least MS01-033)

d) Use the CALCS program to modify the permissions on TFTP.EXE to
remove all use;

CALCS %systemroot%/system32/tftp.exe /D Everyone
CALCS %systemroot%/system32/tftp.exe /D System

Do the same for CMD.EXE
(note, this could be tried with THUMBVM.DLL as well, haven't tried
this myself yet)

e) Ensure that TFTP is not permitted out through your network gateway
(note that newly infected machines may try and TFTP *internally* from
some other infected machine you have on your network)

f) Modify or remove;

HKEY_CLASSES_ROOT\.eml
HKEY_CLASSES_ROOT\.nws

Cleansing information;
- ---------------------

Nimda is viral, so while you can remove various files that it drops
it probably will not be cleaned completely by manual means. This
means you will have to use your AntiVirus vendor's product to
completely cleans.

a) Load.exe dropped as hidden/system file (probably in %systemroot%)
b) Riched20.dll dropped with today's date as hidden/system file.
c) Readme.exe dropped in every directory
d) Admin.dll dropped in /scripts and/or root directories (not the
_vti_bin directories of FrontPage)
e) .eml and .nws files dropped in every directory
f) Possibly modified your default home page in web dirs.
g) Infected numerous files (if not all files) with the 56kb
executable.
h) Reports of people having files lumped together into .eml files

Check with your AV Vendor regularly for updates to the cleansing
programs. I would appreciate any reports from AV Vendors as to how
complete they feel their cleaners currently are. I will do an update
later tonight based on responses.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Witch_King
09-18-2001, 05:06 PM
Oh well, I was thinking of getting WinXP anyway. Hope the terrorsts are all killed by than. I'm tired of all these virus attacks.

mfc2themax
09-18-2001, 10:11 PM
If you wanna be immune to problems like this, then its simple. Throw your computer out the window. :p

Witch_King
09-18-2001, 10:45 PM
You know what, you're right. Unfortunately it seems that the operating system manufacturers can not protect the public from viruses. That's just the way it is. I didn't even open an attachment. I must have gotten infected by going to some website. I'm not going to search the web anymore.

doubleanti
09-18-2001, 11:15 PM
>I don't know that much about this virus but it sounds like a job for a anti virus program

what is nimda? and, wow sunlight, resourceful on the run... good job!

>Throw your computer out the window.

remember: we have a function for that...

oh, and i don't want to sound like i'm some genius that is failsafe from all virii cuz i'm a genius... but i don't ever get virii simply because my own computer use is relatively fail-safe... what practices did you, er, practice to obtain this virus?

-KEN-
09-19-2001, 06:35 AM
I was lookin at my school's county website and found a link to a patch. go here: http://www.palmbeach.k12.fl.us/

rick barclay
09-19-2001, 06:47 AM
>i don't think its code red rick, is the little green light on the front of the case on?<

No, I guess it was nimba. Code red isn't suppose to attack Linux,
from what I understand, admittedly not much. But, it's Wednesday
morning now, and my site is back up, so no harm done. I'm
back in business:) . Till next time.

rick barclay

Esss
09-19-2001, 07:09 AM
> Unfortunately it seems that the operating system manufacturers can not protect the public from viruses.

Carefully avoiding the word 'Microsoft', hm?

As you'll have noticed, every infection vector can be patched. There's no excuse for not having MS00-078, since it's 12 months old! There's also no excuse for having IE pre v5.01 SP2, and none for having your system security levels at 'low'.

If you want to be secure, check http://www.microsoft.com/technet/mpsa/start.asp regularly, and follow the recommendations. By being up-to-date, I bypassed Code Red I and II, and this latest one. Oh, and don't open attachments unless you know what they are...

Rick, even if your machine runs Linux, it's still vulnerable to thousands of computers bombarding it with compromise requests. Did you have unusual amounts of traffic?

iain
09-19-2001, 08:59 AM
has anyone else noticed that it spells 'Admin' backwards ?

no-one
09-19-2001, 11:43 AM
>Unfortunately it seems that the operating system manufacturers
can not protect the public from viruses<

openBSD... 4 security holes in 6 years... 3 fixed ones brand new so... virtually impossible to hax0r...

and Esss even if you do all that your still vunerable

>By being up-to-date, I bypassed Code Red I and II, and this latest one.<

yes mam, be up to date and skip the nasties he's right about that.

>Oh, and don't open attachments unless you know what they are... <

nailed that too.

Witch_King
09-19-2001, 12:19 PM
As you'll have noticed, every infection vector can be patched. There's no excuse for not having MS00-078, since it's 12 months old! There's also no excuse for having IE pre v5.01 SP2, and none for having your system security levels at 'low'.


I don't know how many times I have to say it, but I had IE6.0 and SP2. I still got the virus.

no-one
09-19-2001, 02:26 PM
I believe you( i know how MS claims a thing is one way when it is the other), im just saying being updated can stop a lot of them.

doubleanti
09-19-2001, 05:12 PM
>has anyone else noticed that it spells 'Admin' backwards ?

hmmmm.... that's a good notice...

hey, any specifics about this? [or generalizations...]

Witch_King
09-19-2001, 05:14 PM
Everyone already knows about this. I'm surprised that someone didn't know.

Theologian
09-19-2001, 05:16 PM
Has microsoft itself gotten hit w/this thing?

I can't get to msn or msnbc. Any other sites I go to are o.k. but those time out on me.

Anyone else notice this or have any trouble?

Esss
09-19-2001, 06:30 PM
> I don't know how many times I have to say it, but I had IE6.0 and SP2. I still got the virus.

Dear me. You had a service pack that is four months old, and a Web browser update, and you think that constitutes adequate security?

Tell me, how many holes did that Web site I pointed you to pick in your system?

> Anyone else notice this or have any trouble?

No trouble here. It's more likely to be a DoS by virtue of having thousands of compromise requests than a security problem.

no-one
09-19-2001, 06:39 PM
>Dear me. You had a service pack that is four months old, and a Web browser update, and you think that constitutes adequate security? <

all the damn service packs and browser updates in the world don't constitue adequate security...

Witch_King
09-19-2001, 06:44 PM
I installed that service pack about 3 weeks ago. How can anyone keep track off all those damn things? That is rediculous. Why doesn't the company just write a secure operating system.

I ran a Win32Nimda virus cure or whatever you call it. It wasn't completely successful. I'm going to have to buy a new OS next week or something. I don't like any of the current operating systems that are available and I severly question the quality of WinXP.

no-one
09-19-2001, 06:47 PM
XP is good cause of the clear type fonts but DAMN THE INCOMPATABLE VIDEO DRIVERS!!!!! NOTHING WORKS RIGHT!!!!

Witch_King
09-19-2001, 06:48 PM
I want Bill Gates' head on a platter.

no-one
09-19-2001, 06:51 PM
YESS YEEEESSSSS!!!! NOW YOUR TALKING!!! IF OPEN SOURCE CAN MAKE SECURE SYSTEMS THEN WHY CANT YOU BILLL WHHYYYY!!!!

BTW: have you used the link in my sig?

Witch_King
09-19-2001, 06:54 PM
BTW: have you used the link in my sig?


Don't be silly. It isn't safe to search the web. I'm running Microsoft, remember. I have not downloaded my daily service pack.

no-one
09-19-2001, 06:56 PM
BWAHHAAHHAAHAHAHAHAHAHAHAAHAHAH!!!! i almost forgot im fit of bill hate...

Esss
09-19-2001, 07:03 PM
> IF OPEN SOURCE CAN MAKE SECURE SYSTEMS THEN WHY CANT YOU BILLL WHHYYYY!!!!

I note that redhat.org lists 23 'Security Advisories' for the last five months, in their latest version. Is this your definition of 'secure'?

In an operating system as complex as Windows 2000 or Linux, security is ongoing - there's no chance you'll find all the security holes by release; there are just too many lines of code. Both operating systems have teams of people inside and out of their respective organisations, finding and fixing vulnerabilities. When vulnerabilities are found, you need to install them. That's the price you pay for using complex software.

Windows 2000 with all the security patches, secured with the checklists and tools from Microsoft, operated in a sensible manner, is as secure as Linux. Virii and worms (like Nimda) take advantage of the fact that you don't do that, and to good effect.

Witch_King
09-19-2001, 07:07 PM
I had all the latest updates and all the latest service packs and I still got Nimda.

If it wasn't for the internet there would be far less security updates, maybe even none. Now Microsoft is really pushing the internet. I wonder if they will succeed because the virus writers are really having their way. The are far more sophisticated than they used to be.

no-one
09-19-2001, 07:07 PM
Esss, to your entire post i say

www.freeBSD.org

Witch_King
09-19-2001, 07:12 PM
Linux is not looking too bad after all. At least people can afford to use it. I have a few books on RedHat 7.0. Should I install this OS? Is RH 7.0 any good? Anyone use it?

Esss
09-19-2001, 07:15 PM
> www.freeBSD.org

An operating system used by sufficiently few people that it isn't worth someone's effort to attempt to find a security hole.

> I had all the latest updates and all the latest service packs and I still got Nimda.

Have you worked out by which vector, then?

It's one of:
* MS00-078, a patch for which is included in Win2k SP2.
* MS01-020, which only affects IE 5.0 and 5.01 pre-SP2.
* IIS attacks, caused by you having previously contracted Code Red II.
* Opening an attachment sent to you masquerading as an audio file.
* Opening an already-infected .eml or .nws file.
* Someone else's infected machine having mapped a drive to a share on yours.

You still haven't told me how many problems MPSA told you about.

Witch_King
09-19-2001, 07:27 PM
I downloaded and ran the cure from www.centralcommand.com

I don't know how to use this operating system. All I know about computers is C and some C++. Operating systems unfortunately is about 6 months away.

Also, I have a pirated version of Win2k and I don't have the admin privilages because I think I only have a user account. I log in as dean, not as administrator. So this truely limits me. It also makes it impossible for me to eradicate the virus, since as the virus cure executes it is not allowed to delete certain files because I'm not logged in as the administrator. Therefore I conclude that my operating system is toast.

I think I'm going to have to install a new operating system although I hesitate to get WinXP. That would seem the logical operating system to buy because I'm going to have to pay full price. My fear is that WinXP will not accept all my hardware. Sure my 1.4 Ghz processor and 327 MB Ram is fine, so is my 20 GB 7200 RPM HD, but I don't think my 5X DVD will work with WinXP. I'm deathly afraid to purchase WinXP on Oct 25 because I think the safest bet would be to get it on an OEM setup. That way you know everything works. Maybe I'll have to turn this powerful computer into a Linux experiment. I only payed $550 USD for it, but that is still a waste. Too bad MS operating systems are soo expensive. I would have purchased Win2k if it wasn't $250 USD.

Esss
09-19-2001, 07:55 PM
> Operating systems unfortunately is about 6 months away.

A little initiative works wonders, I've found.

You need a course to use Win2k, and you're considering Linux?

> Also, I have a pirated version of Win2k and I don't have the admin privilages because I think I only have a user account

Presumably you installed it, though, in which case you should know the Administrator password. You have installed SP2, which needs to be done under an administrative account, in any event, so what's the problem?

> because I'm going to have to pay full price.

You are a student. You do not need to pay full price. You can pay significantly less by getting the academic version, which is exactly the same product for a lower price. What is the problem with that?

> My fear is that WinXP will not accept all my hardware.

I think you'll find that any hardware that operates in your machine will work in XP. From Microsoft's perspective, it has to - they want this to replace the 9x codebase, so they need a similar level of hardware support.

Witch_King
09-19-2001, 08:22 PM
Actually, no, I didn't install Win2k pro. Some con man did that for me.

I can't get this acedemic version that you are talking about. I have to pay the same price as the world. It's around $250 USD, I looked this up. This is for the full version of Win2k Pro.

How can I tell if I have admin priviliges? I messed with Nimda.dll on my C drive. I accidently changed some of the permissions and now it says that I don't have the permission to change them back. This leads me to believe that I'm not the administrator. When I got the OS I loged in as dean, not as administrator or anything like that. As I run the virus scanner it says that there are files that it can not open.

I don't think it's effort so much as needing the time to learn a professional operating system. I've been spending this term studying everything but my OS. I have some books on Linux 7.0. Yes I know that would be hell, but I dont' want to pay $250 USD. I can get Linux 7.1 for like $10 USD.

I don't trust WinXP because it sounds as though if you try to install it more than one you are shut down. I will never buy anything that does that to people. That is sick.

At this moment I'm not sure if my OS is attacking the internet. Maybe it's okay but some of those files are still on my HD. There are about 33 right now. It used to be as high as 98 but after I ran the cure it got rid of many of them. I wonder if it is okay to try to delete some of these files.

no-one
09-19-2001, 08:31 PM
wanna know if your an admin huh?

well do the following.

go to the contol panel -> administrative tools(assuming its there your should be the admin) -> computer management -> Local users an Groups -> Users -> right click on 'Dean' select Propetrties from the context menu -> click the 'member of' tab and see whats there

if its not administrators then your something else with limited permissions...

and try logging in as the administrator just don't enter a password... thats the default.... assuming the con artist didn't change it...

Unregistered
09-19-2001, 09:51 PM
Okay now that I'm logged in as the administrator, why don't I have permission to view current permission setting of the Admin.dll file? How do I override the permission? How do I set it so that I can delete it?

Unregistered
09-19-2001, 10:09 PM
I might have accidentally made it so that no one has access. Can this be fixed!

Unregistered
09-19-2001, 10:11 PM
Yes, I think that's what I did. Can't the administrator somehow override this??

Nick
09-19-2001, 10:42 PM
An operating system used by sufficiently few people that it isn't worth someone's effort to attempt to find a security hole.



That's funny considering Microsoft has used this operating system. Ok you can try

to deny it but a few major companies such as yahoo run it.

http://www.zdnet.com/zdnn/stories/news/0,4586,2775033,00.html

Freebsd looks like it had a telnetd security hole but no one secure would install that anyways.



hmm, Dean's got one of those worms sort of like

KaK where just previewing them sends them. This is an outlook express feature which
can be turned off. No one should read email as root/admin, you should be able to set up your machine so that email goes to a user account I think. Some one could still try to send a trojan horse so I guess you should backup important user account data. I use the text based pine as a email client, not even on my machine, so no getting virus/worms. Best thing to do is find a email client which isn't targeted by haxors like Outlook is.

Unregistered
09-19-2001, 10:53 PM
>Okay now that I'm logged in as the administrator, why don't I have permission to view current permission setting of the Admin.dll file? How do I override the permission? How do I set it so that I can delete it?<

first make sure this is something that you want to delete that won't fry you system if its gone

well here we go

right click on the file go to properties -> click the security tab -> click on the add button ->
under 'Enter the objects names to select' type administrator/dean whoever your logged in as ->
click ok -> in the security tab in properties under the 'Permissions for *' click on the full control check box under allow,
and click Apply.

thats should allow you to do whatever you want.

no-one
09-19-2001, 10:53 PM
woops forgot to log in...

oh and BTW: don't ever use outlook more viruses spread through that than anything ive heard of yet...

Witch_King
09-19-2001, 11:03 PM
It almost worked, but after I chose full control and pressed apply, is said:



unable to save permission changes to Admin.dll
Access is denied


Why would it do that?

Witch_King
09-19-2001, 11:13 PM
When I right click the file and press the security tab it says:


You do not have permission to view the current permission setting for Admin.dll, but you can make permission changes.


There must be a way to make pemission changes! But something must have been missed. Some step.

no-one
09-19-2001, 11:17 PM
well if your logged in as admin... its not permission violations, it may be in use but that shouldn't stop it... possibly cause its a system file.

try hitting Ctrl+Shift+Escape and see whats running under your user name. look for said .dll or what not. anything that says 'you' under user name other than explorer.exe, devldr32.exe, and taskmgr.exe can be killed just don't kill any system or Local/Network services you may not want to kill IEXPLORER.exe cause its internet explorer.

and i doubt this will work unless you have permissions to the file but this will make it non system/hidden/readonly/ect

#include <window.h>

int main()
{
unsigned long fa = 0x00000080;
::SetFileAttributes("C:\\whateverdir\\admin.dll",fa);
// check to see if it worked
fa = ::GetFileAttributes("C:\\whateverdir\\admin.dll");
printf("%x\n",fa); // should print 0x00000080
return 0;
}

Witch_King
09-19-2001, 11:33 PM
When I run the program it prints the number 21 but nothing changed. I still can't set permissions. What does 21 mean?

no-one
09-20-2001, 12:48 AM
21 means its Read Only and Archived.

so... let me get this straight

your logged in as Admin.
you can't change permissions.
you didn't see it used in the taskmanager.
its not system.
you have no access to the file...

right click on the file go to properties -> click the security tab

1. Are there any names/groups under 'Groups or user names:'?
2. Could you list whats running under processes in the task manager?

and i must ask are you sure this file is bad i have it on my sys and i dont have 'nimda'

Wan Valdez
09-20-2001, 01:54 AM
Maybe it's not bad. I might be confused because Nimda is Admin spelled backwards. I guess it's a good file.

Okay than tell me what happens when you press the security tab. Does it give you a message:


You do not have permission to view the current permission setting for Admin.dll, but you can make permission changes.


>>1. Are there any names/groups under 'Groups or user names:'?<<

No, it is blank.

I can set and change permissions with other files but not this one. I guess I should leave this one alone. It must have some other purpose. The W32/Nimda virus drove me insane. I think I was able to get rid of most of it but it's not an easy virus to defeat. Okay I'll leave the Admin.dll file alone. Anyway, thanks for the help. I didn't know how to log in as administrator but your solution worked. I need to read up on a professional operating system, but I have not had a great chance to do it yet. Infact it invovles a lot of reading it seems. There are many books on Win2k for example. A person has to learn 1000 things before he can become proficient running a computer. I'm still peeved about virus writers. I don't think anyone will be able to stop them and it is likely going to be a huge problem in the near future. You're Linux solution might be the best afterall, hard to tell.

rick barclay
09-20-2001, 08:39 AM
>Rick, even if your machine runs Linux, it's still vulnerable to thousands of computers bombarding it with compromise requests. Did you have unusual amounts of traffic?<

No. I haven't even listed my site with the search engines.
Last one to visited my site before it was struck was govt
cheese, so he's my main suspect :p .

rick barclay