[Loch-ruadh] Nimda Virus

Spence Mabry Spence.Mabry at radioshack.com
Wed Sep 19 12:32:23 PDT 2001 

It also has hit us hard yesterday.

Ceatta

Thank You,
Spence Mabry, A+ Cert.
Senior Support Specialist, RadioShack Store Support Services
voice:  817-415-5948



-----Original Message-----
From: Rozell, Baron [mailto:Baron.Rozell at enron.com]
Sent: Wednesday, September 19, 2001 2:22 PM
To: loch-ruadh at ansteorra.org
Subject: [Loch-ruadh] Nimda Virus


Greetings!

Unfortunately here at work, we've been hit by the nimda virus. So, I
thought I send a warning out to everyone so y'all could be forewarned.
For those who have anti-virus software, please update it.  The easiest
way to tell if you've been infected is to look for a file called
Admin.dll or Admin.exe . Also if you've got several files with the .eml
extension or the .nws extension.

if you have any questions feel free to email me at ack3 at airmail.net .


Here are some details about the virus:
<Source:
http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_ad
p.php?p_refno==010918-000005>
Name: Win32.Nimda.A at mm
Aliases: W32/Nimda.A
Type: File Infector & Internet Worm, written in Visual C language
Size: 57344 bytes
Risk: Medium
ITW: Yes

Disinfection:
-------------
Central Command has released a special removal tool for this particular
virus.  <http://www.centralcommand.com/toolsregister.html>

Description:
------------------
Win32.Nimda.A at mm arrives through e-mail as an attached file
(README.EXE), with the body of the mail apparently empty but which
actually contains code to use as an exploit which will execute the virus
when the user views the message (if is using Microsoft Outlook or
Outlook Express without the latest service packs or patches from
Microsoft). When it is installed it copies itself in the system
directory with the name load.exe. Also, it copies over the library
riched20.dll modifying itself to be loaded as a DLL (Dinamically Link
Library). This DLL is used by applications that work with Richedit Text
Format such as Wordpad.

To be activated at every reboot the virus modifies system.ini in the
boot section by writing the following line:
shell==explorer.exe load.exe -dontrunold

In Windows NT/200 the virus attaches a thread to explorer.exe to run its
viral code and in Windows 95/98/ME it registers itself as a service
process. With these actions the virus remain invisible to the user.

To spread it uses MAPI (Mailing API) functions to read user's e-mails
from where it extracts SMTP (Simple Mail Transfer Protocol) server
addresses and e-mail addresses. It is able also to send e-mails without
MAPI functions, but connecting directly to a SMTP server.

Another method to spread is by using Unicode Web Traversal exploit
similar to CodeBlue. Information and a patch for this exploit are
located at:

<http://www.microsoft.com/technet/security/bulletin/ms00-078.asp>

The virus creates 200 threads and tries to send itself, using the
specified exploit, to an IIS server. Using this exploit the virus gets
control of the execution flow on that server and download itself under
the name admin.dll, then puts a HTML code in the web page hosted by the
IIS server to download the virus. To do this it tries to modify the
files with the name:

index, main, default
and with the extension one of:
.html
.htm
.asp

Also the virus enumerates the network resources visible to the infected
computer and tries to copy in shares.

When running in Windows NT/2000, the virus is capable of infecting files
by attaching the executable as a resource with raw data named f in the
virus program. When the infected file is executed the virus has control
and executes the original file so the user doesn't notice anything. This
is accomplished by dropping that f resource in a file with the same name
as the original but with a space appended, followed by .exe.

The virus reads from registry the keys contained in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths

This key contains the paths to all applications installed in the system.
One exception of the infection routine is that the virus avoids
infecting the file winzip32.exe.

Also, when running under NT, the virus creates the user guest with no
password and add it to the Administrator group. It creates a share for
every root directory (from C to Z) with all access rights.

The virus is able to disable the proxy by modifying the keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\MigrateProxy 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ProxyEnable 0

HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ProxyEnable 0

Leaving the library riched20.dll not deleted will reactivate the virus
when a program using this library is executed.

As a signature the following text can be found in the file:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

 - Conor / Bear


**********************************************************************
This e-mail is the property of Enron Corp. and/or its relevant affiliate and
may contain confidential and privileged material for the sole use of the
intended recipient (s). Any review, use, distribution or disclosure by
others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender or reply
to Enron Corp. at enron.messaging.administration at enron.com and delete all
copies of the message. This e-mail (and any attachments hereto) are not
intended to be an offer (or an acceptance) and do not create or evidence a
binding and enforceable contract between Enron Corp. (or any of its
affiliates) and the intended recipient or any other party, and may not be
relied on by anyone as the basis of a contract by estoppel or otherwise.
Thank you.
**********************************************************************
_______________________________________________
Loch-ruadh mailing list
Loch-ruadh at ansteorra.org
http://www.ansteorra.org/mailman/listinfo/loch-ruadh

More information about the Loch-Ruadh mailing list