| VID |
24088 |
| Severity |
40 |
| Port |
80,139, ... |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The system appears to be infected with the 'Nimda' worm. The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000.
This new worm known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5" appears to spread by multiple mechanisms:
o from client to client via email
o from client to client via open network shares
o from web server to client via browsing of compromised web sites
o from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities
-- http://www.kb.cert.org/vuls/id/111677
-- http://www.cert.org/advisories/CA-2001-12.html
o from client to web server via scanning for the back doors left behind by the "Code Red II" and "sadmind/IIS" worms
-- http://www.cert.org/advisories/CA-2001-11.html
-- http://www.cert.org/incident_notes/IN-2001-09.html
The 'Nimda' worm contains no destructive payload beyond modification of web content to facilitate its own propagation. But the infected host is at high risk for being party to attacks on other Internet sites, and the high scanning rate of the Nimda worm may cause bandwidth denial-of-service conditions on networks with infected machines.
* References:
http://www.cert.org/advisories/CA-2001-26.html
http://www.f-secure.com/v-descs/nimda.shtml |
| Recommendation |
Full disinfection of the worm will require some additional manual actions. To disinfect the worm and restore security of affected workstations, please follow these instructions:
1. Temporarily kill the network.
2. Scan all files (not just files with selected extensions) on all local hard drives using Windows Explorer and delete all *.EML and *.NWS files (typically 79,225 bytes in size)
3. Delete all worm copies (typically 57,344 bytes in size):
MMC.EXE (in Windows directory)
LOAD.EXE (in Winows' system directory)
RICHED20.DLL or RICHED32.DLL (in Winows' system directory)
ADMIN.DLL (in all folder of all local hard drives)
4. Restart a system. Do not connect it to the network yet. It is advised to scan all files on all local drives to ensure that there are no more infected files in a system.
5. Locate SYSTEM.INI file in your Windows directory and open it with Wordpad or Notepad. Replace the string "shell=explorer.exe load.exe -donotloadold" with "shell=explorer.exe" string.
6. Delete all files with .TMP extensions from your local temporary directories - typically \Temp\ or \Windows\Temp\ or \documents and settings\username\local settings\temp.
7. Copy a clean RICHED20.DLL or RICHED32.DLL file to \Windows\System\ or \WinNT\System32\ folders. This DLL file is used by many applications and they won't run if this DLL is missing.
8. Remove all shares from all local hard drives and renew these shares with correct access rights if needed. This needs to be done because the worm affects shares security. Check especially the \\localhost\c$ share rights.
9. Set the password of 'Guest' account and disable the account if not needed, and remove 'Guest' account from 'Administrators' group.
10. Check all *.HTML, *.ASP, and *.HTM for the small JavaScript code referring to README.EML file and remove it or restore the affected files from a backup. This JavaScript code is located in the very end of affected files.
11. The CodeRed II backdoor infections should be removed as well. Please refer to 'CodeRed' description and cleaning instructions.
http://www.europe.f-secure.com/v-descs/bady.shtml
12. Restore network connections only after all systems are disinfected or the worm will re-infected already clean computers!
13. If IIS server is installed, apply the appropriate patch from your vendor. A cumulative patch for the IIS-related vulnerabilities is available from:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
14. If you are running a vulnerable version of Internet Explorer, Upgrade to at least version 5.0 and apply patch for the "Automatic Execution of Embedded MIME Types" vulnerability available from:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
* The above patch has been supserseded by the IE 5.01 and 5.5 patches discussed in MS01-027
Etc. Don't open e-mail attachment named "readme.exe" and Run and maintain an anti-virus product. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
