[Loch-ruadh] Nimda Virus

Caerell MacDomnaill caerell at home.com
Wed Sep 19 22:23:53 PDT 2001 

Not Us We use GroupWise, so far has been immune to these viruses.

Caerell
----- Original Message -----
From: "Spence Mabry" <Spence.Mabry at radioshack.com>
To: <loch-ruadh at ansteorra.org>
Sent: Wednesday, September 19, 2001 1:32 PM
Subject: RE: [Loch-ruadh] Nimda Virus


> It also has hit us hard yesterday.
>
> Ceatta
>
> Thank You,
> Spence Mabry, A+ Cert.
> Senior Support Specialist, RadioShack Store Support Services
> voice:  817-415-5948
>
>
>
> -----Original Message-----
> From: Rozell, Baron [mailto:Baron.Rozell at enron.com]
> Sent: Wednesday, September 19, 2001 2:22 PM
> To: loch-ruadh at ansteorra.org
> Subject: [Loch-ruadh] Nimda Virus
>
>
> Greetings!
>
> Unfortunately here at work, we've been hit by the nimda virus. So, I
> thought I send a warning out to everyone so y'all could be forewarned.
> For those who have anti-virus software, please update it.  The easiest
> way to tell if you've been infected is to look for a file called
> Admin.dll or Admin.exe . Also if you've got several files with the .eml
> extension or the .nws extension.
>
> if you have any questions feel free to email me at ack3 at airmail.net .
>
>
> Here are some details about the virus:
> <Source:
> http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_ad
> p.php?p_refno==010918-000005>
> Name: Win32.Nimda.A at mm
> Aliases: W32/Nimda.A
> Type: File Infector & Internet Worm, written in Visual C language
> Size: 57344 bytes
> Risk: Medium
> ITW: Yes
>
> Disinfection:
> -------------
> Central Command has released a special removal tool for this particular
> virus.  <http://www.centralcommand.com/toolsregister.html>
>
> Description:
> ------------------
> Win32.Nimda.A at mm arrives through e-mail as an attached file
> (README.EXE), with the body of the mail apparently empty but which
> actually contains code to use as an exploit which will execute the virus
> when the user views the message (if is using Microsoft Outlook or
> Outlook Express without the latest service packs or patches from
> Microsoft). When it is installed it copies itself in the system
> directory with the name load.exe. Also, it copies over the library
> riched20.dll modifying itself to be loaded as a DLL (Dinamically Link
> Library). This DLL is used by applications that work with Richedit Text
> Format such as Wordpad.
>
> To be activated at every reboot the virus modifies system.ini in the
> boot section by writing the following line:
> shell==explorer.exe load.exe -dontrunold
>
> In Windows NT/200 the virus attaches a thread to explorer.exe to run its
> viral code and in Windows 95/98/ME it registers itself as a service
> process. With these actions the virus remain invisible to the user.
>
> To spread it uses MAPI (Mailing API) functions to read user's e-mails
> from where it extracts SMTP (Simple Mail Transfer Protocol) server
> addresses and e-mail addresses. It is able also to send e-mails without
> MAPI functions, but connecting directly to a SMTP server.
>
> Another method to spread is by using Unicode Web Traversal exploit
> similar to CodeBlue. Information and a patch for this exploit are
> located at:
>
> <http://www.microsoft.com/technet/security/bulletin/ms00-078.asp>
>
> The virus creates 200 threads and tries to send itself, using the
> specified exploit, to an IIS server. Using this exploit the virus gets
> control of the execution flow on that server and download itself under
> the name admin.dll, then puts a HTML code in the web page hosted by the
> IIS server to download the virus. To do this it tries to modify the
> files with the name:
>
> index, main, default
> and with the extension one of:
> .html
> .htm
> .asp
>
> Also the virus enumerates the network resources visible to the infected
> computer and tries to copy in shares.
>
> When running in Windows NT/2000, the virus is capable of infecting files
> by attaching the executable as a resource with raw data named f in the
> virus program. When the infected file is executed the virus has control
> and executes the original file so the user doesn't notice anything. This
> is accomplished by dropping that f resource in a file with the same name
> as the original but with a space appended, followed by .exe.
>
> The virus reads from registry the keys contained in:
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths
>
> This key contains the paths to all applications installed in the system.
> One exception of the infection routine is that the virus avoids
> infecting the file winzip32.exe.
>
> Also, when running under NT, the virus creates the user guest with no
> password and add it to the Administrator group. It creates a share for
> every root directory (from C to Z) with all access rights.
>
> The virus is able to disable the proxy by modifying the keys:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\MigrateProxy 1
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ProxyEnable 0
>
> HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\ProxyEnable 0
>
> Leaving the library riched20.dll not deleted will reactivate the virus
> when a program using this library is executed.
>
> As a signature the following text can be found in the file:
> Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
>
>  - Conor / Bear
>
>
> **********************************************************************
> This e-mail is the property of Enron Corp. and/or its relevant affiliate
and
> may contain confidential and privileged material for the sole use of the
> intended recipient (s). Any review, use, distribution or disclosure by
> others is strictly prohibited. If you are not the intended recipient (or
> authorized to receive for the recipient), please contact the sender or
reply
> to Enron Corp. at enron.messaging.administration at enron.com and delete all
> copies of the message. This e-mail (and any attachments hereto) are not
> intended to be an offer (or an acceptance) and do not create or evidence a
> binding and enforceable contract between Enron Corp. (or any of its
> affiliates) and the intended recipient or any other party, and may not be
> relied on by anyone as the basis of a contract by estoppel or otherwise.
> Thank you.
> **********************************************************************
> _______________________________________________
> Loch-ruadh mailing list
> Loch-ruadh at ansteorra.org
> http://www.ansteorra.org/mailman/listinfo/loch-ruadh
> _______________________________________________
> Loch-ruadh mailing list
> Loch-ruadh at ansteorra.org
> http://www.ansteorra.org/mailman/listinfo/loch-ruadh

More information about the Loch-Ruadh mailing list