__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ ADVISORY NOTICE The W32.nimda Worm September 18, 2001 23:00 GMT Number L-144 Revised: September 18, 2001 23:00 GMT ______________________________________________________________________________ PROBLEM: An extremely virulent worm is currently spreading throughout the Internet. It uses multiple methods of infection to spread among both Windows server and user machines. Infection methods include: file infections, mass e-mail of infected attachments, web server attacks, and LAN propagation via shares. PLATFORM: All Windows platforms including Windows 95, Windows 98, Windows Me, Windows NT 4, and Windows 2000. Server attacks affect unpatched IIS servers on Windows NT 4 and Windows 2000. Client attacks affect Internet Explorer web browsers and e-mail readers that use the vulnerable web browsers to view html encoded e-mail. Client attacks for other mail readers work if the user executes the attachment. Vulnerable Web Browsers Internet Explorer 5.01 Service Pack 1 and earlier Internet Explorer 5.5 Service Pack 1 and earlier Mail readers that use IE Outlook Outlook Express Eudora Others? DAMAGE: Compromised machines attack other machines on the Internet. System and document files are damaged. Network resources will be used which will slow the network. SOLUTION: Apply patches to uninfected systems. Vulnerable IIS servers should install the cumulative patch, MS01-044, to protect against the server attacks. Vulnerable client systems should install or upgrad to one of the following. Apply patch MS01-020 Apply patch MS01-027 Upgrade to Internet Explorer 5.01 Service Pack 2 Upgrade to Internet Explorer 5.5 Service Pack 2 Upgrade to Internet Explorer 6. Update antivirus software to detect the worm. Compromised machines must be pulled off of the network and rebuilt or cleaned with antivirus software. Cleaning instructions are available from your antivirus vendor. Note: Rebooting will not clean your system of this worm. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The worm is rapidly spreading throughout the ASSESSMENT: Internet. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-144.shtml PATCHES: MS01-044 http://www.microsoft.com/technet/security/bulletin /ms01-044.asp MS01-020 http://www.microsoft.com/technet/security/bulletin /MS01-020.asp MS01-027 http://www.microsoft.com/technet/security/bulletin /MS01-027.asp Internet Explorer 5.01 Service Pack 2 http://www.microsoft.com/windows/ie/downloads /recommended/ie501sp2/default.asp Internet Explorer 5.5 Service Pack 2 http://www.microsoft.com/windows/ie/downloads /recommended/ie55sp2/default.asp Internet Explorer 6 http://www.microsoft.com/windows/ie/downloads /ie6/default.asp REFERENCES: F-Secure http://www.datafellows.com/v-descs/nimda.shtml Microsoft http://www.microsoft.com/technet/treeview /default.asp?url=/technet/security/topics/nimda.asp ______________________________________________________________________________ [Revised 9/21/01 Added technical details] The W32.nimda worm started spreading on September 18, 2001 and quickly spread throughout the Internet. Unlike the CodeRed worm, which targets only IIS servers, the Nimda worm attacks both servers and client systems using four different propagation methods. Those methods are: file infections, mass e-mail of infected attachments, web server attacks, and LAN propagation via shares. The mixture of capabilities has resulted in a Worm that is very complicated, difficult to analyze, and difficult to repair its damage. The type of attacks performed and damage done is dependent on the name of the worm executable that is run and any command line arguments. The result is that when exmining an infected system you may only see some of the effects listed in this Advisory. Worm Operation ============== There is an excellent detailed description of the operation of this worm available on the F-Secure website that is summarized here. The worm uses four different methods to propagate itself to other systems: file infections, mass e-mail, web server attacks, and LAN shares. File Infections --------------- The Nimda worm infects executable (.EXE) files it finds on systems. This method is similar to more traditional virus infections but with a twist. Instead of attaching the worm code to the beginning or end of the executable, the worm takes the executable code into itself and then renames itself to the name of the infected executable. When the executable is run, the worm runs first, extracts the original executable, and runs it. Mass E-mail ----------- Using its own built-in mailer, the worm extracts e-mail addresses from your existing address books, mail in your inbox, and from web pages in your web cache. The e-mails are constructed with no apparent body, faked return addresses, and an attachment called README.EXE. The attachment is a copy of the worm. If you read the e-mail and run the attachment, you will be infected with this worm. On some e-mail readers, the attachment is executed automatically when you simply view the e-mail message. This automatic execution occurs because some e-mail readers use Internet Explorer windows to display html encoded mail messages and the worm exploits the vulnerability in Internet Explorer described in Microsoft security bulletin MS01-020. Mail readers that use an Internet Explorer window to view html encoded e-mail include: Outlook, Outlook Express, and Eudora. There are likely others. The vulnerable versions of Internet Explorer are: Internet Explorer 5.01 Service Pack 1 and earlier Internet Explorer 5.5 Service Pack 1 and earlier Internet Explorer 5.01 and 5.02 with Service Pack 2 and Internet Explorer 6 are not vulnerable. Netscape web browsers and mail readers are also not vulnerable. Text only mail readers are not vulnerable. Web Server Attacks ------------------ After the worm is establisned in a system, it searches for web servers and tries a series of directory traversal, unicode, and other attacks. All of these attacks are prevented by applying the cumulative patch kit described in Microsoft bulletin MS01-044. It also attempts to exploit changes made to a system by prior CodeRed II attacks. If the attack is successful, the worm attaches code to the ends of a random list of web pages on the server that attempt to exploit the same Internet Explorer vulnerability as was used in the mass e-mail attack. Anyone viewing these web pages with a vulnerable web browser will be infected with the worm. LAN Share Attacks ----------------- The worm adds the "guest" account to compromised systems with no password and puts it in the Guest and Administrators groups. This opens a system up for anyone to login and take complete control of a system. The worm also opens the full C drive for sharing to anyone. After opening up the compromised system, the worm looks for other networked systems with shares that it can open. When it finds open shares, it attempts to spread itself by planting copies of the infected e-mail message and an infected copy of RICHED20.DLL in the shares. The library RICHED20.DLL is used by Word, Wordpad, and Outlook. If the owner of the share opens the infected e-mail or opens a Word, Wordpad, or Outlook document in that directory, the shared machine will be compromised. Detecting An Infected System ============================ Detecting an infected system is difficult with this worm as the infections are different depending on the name of the file that ran to start the infection process and the command line used to start it. The worm also actively tries to hide itself. The best way to test a system is to run an antivirus scanner on the system to test for infected files. Note that detecting readme.exe in your e-mail attachments directory may only indicate that the worm was sent to you but has not yet been executed. Finding many infected files in a system is strong evidence that it is infected. One problem with both servers and client systems is that nimda changes the registry entries that control viewing hidden files and file extensions. When looking in a directory for files, choose the View, Folder Options, View Tab in the Windows Explorer.  In the Advanced settings window, choose "Show all files", uncheck "Hide file extensions for known file types", and click OK. Check these settings whenever you search a different directory as the worm will continue to change them back to the hidden settings. In fact, if you change these settings and a few minutes later find out that for the same directory they have been changed back, that is a good indication that the worm is active in your system. Servers ------- If the system in question is an IIS web server, look for admin.dll in the web server's \scripts directory. Finding admin.dll in the _vti_bin\_vti_adm directory is normal as this is the FrontPage extension for admiistering a website. It should not be found in the \scripts directory. If you open the suspect admin.dll file in notepad, you will find the strings listed in the "Detecting Infected Packet Traffic" section of this document. Look in directories containing .DOC or .EML files and see if you can find RICHED20.DLL or README.DLL in those directories. Note that these files may be hidden and you may have to turn on viewing of hidden files to see them. Look in the web folders that contain .HTM, .HTML, or .ASP files for README.EML. Clients ------- Look for README.EXE in the mail attachments folder. Look for files in the temporary directory (\temp, \windows\temp, \winnt\temp) with the name MEP*.TMP and MEP*.TMP.EXE (the * is any random characters). These files may be hidden so you must turn on viewing of hidden files to see them. Look for LOAD.EXE in the \windows or \winnt directories. Open the \windows\system.ini file with a text editor like notepad and look for the line: "shell=explorer.exe load.exe -dontrunold". If you find any of these files, your system is infected. Detecting Infected Packet Traffic ================================= Detecting infected packet traffic involves finding unique strings to look for. The following strings are detectible in the unpacked executables (admin.dll, readme.exe) and in the infected e-mail message. Some easy to spot markers are the mime tags (--====_ABC1234567890DEF_====), the string after src= in the --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: The web server attack packets contain some well known IIS exploits. The following traffic is used to scan a web server for a vulnerability. If a server gives a positive response for any of these attacks, the worm sends over attack code that attempts to download admin.dll using tftp from the attacking site. GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c.. /..%c1%1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir Cleaning An Infected System =========================== Cleaning an infected system can be complex and depends on what antivirus product you have and whether this is a web server or client system. In some cases, especially those involving servers, it is probably simpler to format  and reinstall a system than to try to disinfect and restore a system. Check your antivirus vendor for the latest disinfection instructions. A good set of detailed instructions is available from F-Secure. The following is a brief list of the steps you must go through. 1. Disconnect the system from the network. 2. Run an antivirus program to locate all infected files. Let the antivirus program clean any files it can and delete those that it cannot. Replace any system files you have to delete. 3. Locate the following files and delete or replace them as necessary. File Operation Location ------------ --------------------------------- ------------------- *.EXE Delete or replace infected files. Anywhere admin.dll Delete Root directories of disks and \scripts directory in a web server. mmc.exe Delete \windows or \winnt wininit.ini Delete \windows or \winnt riched20.dll Delete and replace the one in Windows NT: \winnt\system32 (NT) or \windows \winnt\system32 (9x) Windows 9x: \windows *.eml, *.ews Delete infected files. Anywhere *.htm, *.asp, Remove virus from end or delete. Anywhere *.html MEP*.tmp and Delete \temp, \windows\temp, MEP*.tmp.exe \winnt\temp readme.exe Delete Anywhere readme.eml Delete web directories load.exe Delete \windows or \winnt system.ini Change line: \windows or \winnt shell=explorer.exe load.exe -dontloadold to: shell=explorer.exe 4. Check all the shares on your local drives to insure that the share is needed and that the permissions set on that share are appropriate. Everyone - Full Control is generally not appropriate. 5. Remove the Guest account. If you need a Guest account, reinstall it with the appropriate restrictions. The guest account should not be in the Administrators group. 6. Reboot and scan everything again to insure that you have gotten all copies of the infected files as nimda will try to replace deleted files. Again, it is better (and often easier) to reinstall the system and software than to try to clean up this worm. Determining If Your System Is Vulnerable ======================================== Server ------ A web server is vulnerable if you have not installed the security patches contained in Microsoft's security bulletin and patch MS01-044. This is actually a cumulative patch. You should keep a log of what patches you have installed and when.  If you don't have a log, you may be able to tell which patches are installed by looking in the \winnt directory with  hidden files turned on and find the patch uninstall directories. These directories are named $NtUninstall followed by the  Microsoft Technet article number (Q####). You can look up that article number on the Microsoft website to see what patch the number represents. If you still don't know if the patch has been installed, install it again. Check all shared drives to insure that they are needed and that the permissions are appropriate. Note that on a NT server, the access permissions can be set by the share or by the NTFS file permissions. It is common practice to have an open share and then control access with restrictive NTFS file permissions. Client ------ To see if your copy of Internet Explorer is vulnerable, open Internet Explorer and choose the Help, About Internet Explorer command. In the About window that appears is listed the version of Internet Explorer, the service packs installed (SR1, SR2) and any other patches by their Microsoft Technet number (Qnnnn). If your version is 6.0 or later or your version is 5.01 or 5.5 with service pack 2 (SR2) your system is safe from the automatic running of infected e-mail and infected web pages. However, if you receive an infected e-mail and you run the attachment by hand you will be infected.  Also, if you have open file shares and there is an infected server in your domain, you may be infected through the shares. Check all shared drives and directories to insure that they are needed and that the permissions are appropriate. This is especially necessary for Windows 9x systems which cannot protect shares with file permissions. These systems depend on the share permissions to protect the files. ______________________________________________________________________________ CIAC would like to thank F-Secure and Microsoft and all the researchers world wide who contributed to our understanding of this worm. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-134: HP Security Vulnerability in rlpdaemon L-135: SGI File Globbing Vulnerability in ftpd L-136: HP-UX Security Vulnerability in PRM L-137: FreeBSD lpd Remote Root Vulnerability L-138: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability L-139: Microsoft IIS "%u encoding IDS bypass vulnerability" L-140: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability L-141: RSA BSAFE SSL-J 3.x Vulnerability L-142: RPC Endpoint Mapper Vulnerability L-143: HP libsecurity Vulnerability