-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.15  --  AUSCERT ALERT
                             W32/Nimda.A@mm worm
                              19 September 2001

===========================================================================

PROBLEM:  

	AusCERT has been made aware of the existence of a new mass mailing
	worm "Nimda" that spreads itself in attachments named "readme.exe".
	The execution of this file causes the infected host computer to begin
	scanning for vulnerable implementations of Internet Information Server
	(IIS). The worm does this by either scanning for a backdoor created by
	Sadmind and CodeRed II worms, or the IIS unicode vulnerability.

	We have received significant numbers of reports of infection by this
	virus from Australian and New Zealand sites, indicating that it is
	propagating rapidly.

	The propagation Nimda performs via email appears to involve sending
	copies of itself to all addresses listed in the infected machine's
	Outlook address book. All messages sent appear to contain the
	following string in the mime-encoding of the attachment:

		Content-ID: <EA4DMGBP9p>

	The worm appears to:
	- contain the string "Concept Virus(CV) V.5, Copyright(C)2001
	  R.P.China"
	- contain a base64 encoding of a file name 'readme.exe'
	- rename or edit of wininit.ini
	- share the C drive
	- create a guest account and add that account to the Administrators
	  and Guests group
	- perform the root.exe (Sadmind / CodeRed II) and unicode exploits
	- mails a copy of itself as readme.exe

	Due to a vulnerability described in ESB-2001.134 (CERT Advisory
	CA-2001-06 - Automatic Execution of Embedded MIME Types), any
	mail software running on an x86 platform that uses Microsoft
	Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to
	render the HTML mail automatically runs the enclosed attachment
	and, as result, infects the machine with the worm. Thus, in
	vulnerable configurations, the worm payload will automatically be
	triggered by simply opening (or previewing) this mail message.
	As an executable binary, the payload can also be triggered by
	simply running the attachment.

	Organisations running web servers and IDS systems will see a large
	increase in web-vulnerability scanning. This virus is scanning
	for backdoors left in IIS web servers, possibly by the Code Red
	II worm.

	Details of the Sadmind and CodeRed worms and the IIS unicode
	vulnerability can be found at:

	Sadmind -
		ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.08

	CodeRed II - 
		ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.14

	IIS unicode vulnerability - 
		ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.02
		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.360


PLATFORM:

	For the Unicode Bug, unpatched IIS 4.0 and 5.0 servers are
	vulnerable to attacks from Nimda infected machines. IIS 4.0 and
	5.0 servers that have been previously compromised, and are still
	compromised, by Sadmind or CodeRedII are also vulnerable to
	attacks.

	Nimda is also a Win32 executable and poses a threat to Microsoft
	Windows operating systems that run Win32 (32-bit) applications.
	These systems include, but are not limited to Windows 95, 98, ME,
	Windows NT4 and Windows 2000. 

	Nimda specifically propagates via any mail software running on an
	x86 platform that uses Microsoft Internet Explorer 5.5 SP1 or
	earlier (except IE 5.01 SP2) to render the HTML mail automatically.


IMPACT:

	Nimda has the ability to degrade network and system performance
	and possibly cause a denial of service. Systems infected with Nimda
	are also susceptable to intruders executing arbitrary code in a Local
	System context.


RECOMMENDATIONS: 

	A. Detection

	To check if you have the Nimda virus, either use your virus scanner
	with a recent update (check with your vendor to ensure the scanner
	can detect Nimda), follow any instructions supplied by virus
	scanner vendors (see the links below).

	Organisations should consider blocking or quarantining .exe files
	at the email gateway. This should prevent the Nimda virus
	infecting computers not running vulnerable versions of IIS (eg
	workstations), however it is recommended that all organisations
	contact their anti-virus vendors for an updated virus signature
	file that will detect this virus.

	B. Recovery

	If you detect Nimda on one machine, it is vital to check for the
	presence of the virus on *all* potentially affected systems,
	including systems connected via network shares to the infected
	machine. This may be accomplished using a current version of an
	anti-virus program that is certified by the vendor to detect them,
	or following the recovery steps listed at the following sites:

	http://vil.mcafee.com/dispVirus.asp?virus_k=99209
	http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
	http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A
	http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
	http://www.f-secure.com/v-descs/nimda.shtml

	C. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or quarantine any email messages or
	attachments that resemble those described above or in the following
	links.

	D. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:

	http://vil.mcafee.com/dispVirus.asp?virus_k=99209
	http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
	http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A
	http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
	http://www.f-secure.com/v-descs/nimda.shtml

	E. Patch Vulnerable Versions of Windows Workstations

	If you are running a vulnerable version of Internet Explorer (IE),
	the CERT/CC recommends applying patch for the "Automatic
	Execution of Embedded MIME Types" vulnerability available from
	Microsoft per AusCERT Bulletin:

		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.131

	E. Patch Vulnerable Versions of IIS

	Microsoft System Administrators are urged to check their systems
	for insecure versions of IIS services as per AusCERT Alerts and
	Bulletins available from:

	Sadmind -
		ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.08

	CodeRed II -
		ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.14

	IIS unicode vulnerability -
		ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.02
		ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.360

	This alert is to also remind you about the recent release of a
	software tool available from Microsoft to detect the presence or
	absence of security patches on some Microsoft based operating
	systems and applications.

	Microsoft has released the following description: "The Hfnetchk
	tool is a command-line tool that you can use to assess a computer
	or selected group of computers for the presence or absence of
	security patches. You can use Hfnetchk to assess patch status for
	the Windows NT 4.0 and Windows 2000 operating systems, as well as
	hotfixes for IIS 4.0, IIS 5.0, SQL Server 7.0, and SQL Server 2000
	(including MSDE), and Internet Explorer 5.01 or later.

	The Hfnetchk tool uses an Extensible Markup Language (XML) file
	that contains information about which hotfixes are available for
	which products. The XML file contains security bulletin name and
	title, and detailed data about product-specific security hotfixes,
	including: files in each hotfix package and their file versions
	and checksums, registry keys that were applied by the hotfix
	installation package, information about which patches supersede
	which other patches, related Microsoft Knowledge Base article
	numbers, and much more."

	Additional information and download instructions are available from:

	http://support.microsoft.com/support/kb/articles/q303/2/15.asp

	Frequently Asked Questions about the Microsoft Network Security
	Hotfix Checker Tool is available from:

	http://support.microsoft.com/support/kb/articles/Q305/3/85.ASP

	AusCERT is releasing this information to its members for their
	information only. AusCERT does not endorse or recommend any
	program or tool listed in this message. Members are encouraged
	to review and verify all information before using any tool.

	F. Check For Signs of Compromise

	If you suspect that your site may have been compromised, we
	encourage you to read:

		ftp://ftp.auscert.org.au/pub/cert/tech_tips/intruder_detection_checklist

	If your site has been compromised, we encourage you to read:

		http://www.auscert.org.au/Information/Auscert_info/Papers/win-UNIX-system_compromise.html

	AusCERT is currently monitoring this problem, if you detect your
	systems have been compromised please contact AusCERT.

	On a possibly related note, AusCERT has received reports indicating
	an increase in unauthorised network scans across a range of TCP
	and UDP ports. Members are encouraged to stay alert for any signs
	of network traffic which may indicate the use of scanning tools
	in an attempt to find already compromised servers.

	These attacks are currently widespread and AusCERT is releasing
	this information to alert system administrators to this activity.
	Member sites may wish to check their systems for evidence of
	attacker activity of malformed URL requests directed at IIS
	servers.

	AusCERT will continue to monitor the situation and we would
	appreciate any reports regarding this activity. If you have any
	information, comments or questions about this threat, please
	contact us.

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST). On call
                after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO6ig9yh9+71yA2DNAQHvCwP/XF6upGTfHlNVFqB3Rg3iOVwsCuNoqN5h
sKEcpy1nOGS5FGHo7nxC3TgwF85sM/SF0P6c9K4K7hSkLTmNPVLQzfWvcG7/+Rhk
UZPJXvQHbRno8ipwb6BbOjBM2fWkWaFHR2eesKAkEeE8j/46m8HlQepeaDLc3RwI
WUg8JU7tjHc=
=xHE/
-----END PGP SIGNATURE-----