Eaten by the ‘Nimda’ Worm

RedSiren Technologies today warned its clients against the effects of the so-called ‘Nimda’ worm, that is now affecting many computers worldwide.

RedSiren Technologies, a provider of outsourced computer network security services, today warned its clients against the effects of the so-called ‘Nimda’ worm, that is affecting computers worldwide.

The US National Infrastructure Protection Center (NIPC) and the Computer Emergency Response Team (CERT/CC) report that the worm attacks Microsoft Internet Information Services on Windows 2000 and NT Web servers, as well as individual users running Microsoft Outlook or Outlook Express for their mail service on any Windows platform.

In a message distributed to its monitoring customers this afternoon, RedSiren reports that it has seen a sharp increase in network traffic, apparently from infected computers attempting to distribute the virus payload.

‘Companies should have already taken steps to protect themselves from being infected by this powerful worm, as well as others of its type,’ said L. Dain Gary, RedSiren’s VP/Chief Security Officer. ‘Despite multiple warnings, we’re seeing a number of companies where the worm has taken hold.’

RedSiren’s security experts have developed the following checklist to help companies minimise their risk from the latest round of computer worms, at both the server and user level:

First, immediately verify the installation of the Microsoft IIS patch for Windows-based servers, available at

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061

(for Windows NT 4.0),

or http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011

(for Windows 2000).

Also, check with your anti-virus vendor, and download the patch dealing with this virus as soon as possible.

Consider stripping all attachments of MIME type ‘audio/x-wave’ at themail server. If that level of specification cannot be accomplished, you should consider blocking all incoming emails with an attachment of readme.exe.

Administrators should search their network for the following list of specific files, developed by the US National Infrastructure Protection Center, which may indicate that a machine or network has been infected:

On your Web server’s file system, look for:

root.exe

admin.dll

Getadmin.dll

Getadmin.exe

.eml

In your Web server’s log, look for:

GET/scripts/root.exe?/c+dir

GET/MSADC/root.exe?/c+dir

GET/c/winnt/system32/cmd.exe?/c+dir

GET/d/winnt/system32/cmd.exe?/c+dir

GET/scripts/..%5c../winnt/system32/cmd.exe?/c+dir

GET/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

GET/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

GET/msadc/..%5c../..%5c../..%5c/..xc1x1c../..xc1x1c../..xc1x1c../winnt/system32/cmd.exe?/c+dir

GET/scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir

GET/scripts/..xc0/../winnt/system32/cmd.exe?/c+dir

GET/scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir

GET/scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir

GET/scripts/..%35c../winnt/system32/cmd.exe?/c+dir

GET/scripts/..%35c../winnt/system32/cmd.exe?/c+dir

GET/scripts/..%5c../winnt/system32/cmd.exe?/c+dir

GET/scripts/..%2f../winnt/system32/cmd.exe?/c+dir

If you find your system has been infected, you should understand that installing the patches will correct the vulnerabilities but will not delete or disable any code installed by the infecting agent.

The only way to ‘clean’ a server found to have been infected is to reinstall the system software from distribution media or a back-up copy known to be free of the infection.

RedSiren understands this may involve a major commitment of time, but cautions that a system with Trojan ‘back doors’ installed may be hacked or commandeered at a later time for unknown purposes.

Actions to be taken at the User level:

Make sure the ‘Preview’ feature of your email system has been disabled.

This must be done on every desktop/laptop/workstation. Action taken by the Preview feature has the result as opening the email.

Reinforce to all end users on the network that if they receive any email with an 80- character subject line, that e-mail should be deleted without opening, even if it appears to have been sent by a recognized source. Ensure users have disabled the ‘Web content in Folders’ option of Windows Explorer.

Empty User’s browser cache

Look for these files on the User’s file system:

readme.eml

readme.exe

‘Computer viruses are becoming more destructive in their capabilities, and the people who develop them are more insidious in the way they attempt to deliver them in the marketplace,’ Gary stated. ‘Companies must consider permanently elevating the extent and methods by which they ensure that their computer networks, and the corporate-critical information stored on them, are protected from unauthorized access.’