Vulnerability Development mailing list archives

RE: New Worm

From: "JKruser" <jkruser () adelphia net>
Date: Tue, 18 Sep 2001 17:18:56 -0400

Wrong worm...That is sadmind/IIS and has been around a while...The new bug
looks like this:

09/18/01
Virus Alert

Be on the alert for an email borne virus with the following characteristics:

Name of attachment: README.EXE
Description:
W32/Nimda-A is a Windows 32 virus which spreads via email,
network shares and websites.

Affected emails have an attached file called README.EXE. The
virus attempts to exploit a MIME Vulnerability in some versions
of Microsoft Outlook, Microsoft Outlook Express, and Internet
Explorer to allow the executable file to run automatically
without the user double-clicking on the attachment.

The virus copies itself into the Windows directory with the
filenames load.exe and riched20.dll (both have their file
attributes set to "hidden"), and attempts to spread itself to
other users via network shares.

The virus alters the System.ini file to include the line

  shell=explorer.exe load.exe -dontrunold

so that it executes on Windows startup.

The virus forwards itself to other email addresses found on the
computer. Furthermore, the virus looks for IIS web servers
suffering from the Unicode Directory Traversal vulnerability. It
attempts to alter the contents of pages on such servers, hunting
for the following filenames:

  index.html
  index.htm
  index.asp
  readme.html
  readme.htm
  readme.asp
  main.html
  main.htm
  main.asp
  default.html
  default.htm
  default.asp

If it finds one of the above files on the web server the virus
attempts to alter the contents of the file, adding a section of
malicious Javascript code to the end of the file.

If the website is then browsed by a user with an insecure
version of Internet Explorer, the malicious code automatically
downloads a file called readme.eml onto the user's computer -
which is then executed, forwarding the virus once more.

The virus contains the following text: "Copyright 2001
R.P.China".

For more information refer to:
(Aliases: W32.Nimda.A@mm, W32/Nimda-A, Code Rainbow, Minda)

Sophos:
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html

Symantec:
http://www.sarc.com/avcenter/venc/data/w32.nimda.a () mm html

Trend Micro:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A


Claymore
the unprofound

-----Original Message-----
From: Enrique A. Compañ Gzz. [mailto:enrique () virtekweb net]
Sent: Tuesday, September 18, 2001 12:17 PM
To: vuln-dev () securityfocus com
Subject: New Worm


Yes, yes.... a new "$%"·$ worm.

Again, by chinesse terrorist (I cannot refer them other way).


an example of this (BECAREFUL) can be seen at http://64.218.116.235

Don't go there if you aren't protected. it downloads readme.eml
automatically and executes.

It seg faults on my machine... fortunally

Current thread:

New Worm Enrique A. Compañ Gzz. (Sep 18)
- Re: New Worm Naseer Bhatti (Sep 18)
- Re: New Worm Ray Simard (Sep 18)
- RE: New Worm JKruser (Sep 18)
- Re: New Worm Wichert Akkerman (Sep 18)