Virus Warnings

Been there :(

A search for the nimbda virus on the Symantech site came up with no results.........so the scan isn´t going to find it on your system............. :(

I formatted my hard drive 5 times since I got that virus. Mainly just overkill on my part :) And I can never get my system as happy as it was before :(

Hey Randy .. actually, that scan just found another 4 html pages there were edited by the worm in some of my backup files. While my local copy or Norton couldn&acute;t detect them lol <BR> <BR>And Jason, yeah, next is formating and new install. I&acute;m just going through all the backup disks making sure it&acute;s nowhere to be found when I crank up my new OS.

33170 files scanned, 0 file(s) infected <BR> <BR>phew! :)

I find this useful link for checking and removing Nimbda and NimbdaE virus: <BR> http://www.wileyc.edu/computer%20support%20services/software/download/antivirus/Symantec/Tools/Nimbda/Nimbda_tool.htm

Next text was taken from: http://news.ninemsn.com.au/sci_tech/story_8055.asp <BR> <BR>The Nimbda computer virus affected some 8.3 million computer networks around the world and caused $US590 million in damage, a security firm said Tuesday. <BR> <BR>Michael Erbschloe, vice president of research for Computer Economics in Carlsbad, California, said the bug closed down many e-mail servers and that many networks faced the tedious jobs of cleaning up computers one at a time. <BR> <BR>&quot;Overall we are getting close to a textbook model of response to a fast-moving bug,&quot; said Erbschloe. <BR>&quot;Some people are calling Nimda another wake-up call, but if Nimda had a destructive payload it would have been a messenger sent by Satan. <BR> <BR>This would have easily cost well over three billion dollars in cleanup costs and another three billion in lost productivity if there was a killer payload and if there were no automated processes in place to eradicate the bug.&quot; <BR> <BR>The virus spread through e-mail attachments and through vulnerable Internet Information Server (IIS) servers. <BR> <BR>People also infected their computers simply by accessing an infected Internet page that contains altered web pages containing the bug. <BR>

&quot;The virus spread through e-mail attachments&quot; <BR> <BR>Translation: Outlook <BR> <BR>&quot;and through vulnerable Internet Information Server (IIS) servers&quot; <BR> <BR>Translation: MS sheep <BR> <BR>&quot;People also infected their computers simply by accessing an infected Internet page that contains altered web pages containing the bug&quot; <BR> <BR>Translation: IE users <BR> <BR> <BR>I am untouchable.

thanks gRAVE =) <BR> <BR>yeah crae, because I use LS and not explorer on my main box.. the worm apparently had a problem hiding. I was stupid tho.. I didn&acute;t realised what was going on even until I did my backup (on CD&acute;s overwriting my old and uninfected files) ... well, luckilly I haven&acute;t lost any ireplacable docs, but the clean up job was fun.. I learned a lot 8)

me is back, so now I have to make up for loss time lol I&acute;ll bet you really missed this pain in the backside lol I couldn&acute;t have had a worst week if I tried :-( I have had nothing but trouble with these different cd rw drives, this time while I was backing up my files, my D:\drive dissapears, I mean it left my computer and all directions I took failed, it also took with it a file named ACSIP? I think that was the name, it&acute;s a file that reads your computer and with out it your going no where...... Even some computer tech&acute;s could not find either one..... I think craeonics ate it lol So I lost quite a bit for not keeping up with my backups. Now its spend time replacing what I can and then hobnobber wants puter time for tax&acute;s :-( Sorry to hear all the virus problems!

Soooooooo I have a question referring to the topic here.... Example- If one has a virus on their computer and takes infected files and uploads them, like skins to a skin site, have they now infected the skin site????? Could not a worm or so creep into one&acute;s computer from a download on the site or even from the skin download itself????

A virus can only do something if it is executed. Or in other words, a virus is executable code, it needs to be ran. A .zip however is not executable code, it&acute;s plain data. So uploading the .zip to the server won&acute;t do anything to the server, nor does downloading and using it... as long as there is no executable code in there. <BR> <BR>And yeah, I think I ate that file, was it called aspi.sys?

crae, I have news for you.. Nimbda can use activeX features to launch itself from a html or eml page. So in theory, you could upload the virus in the zip file if for example the zip file has already been infected and the ReadMe.txt was changed to ReafdMe.exe <BR> <BR>And thats what worries me about these new &acute;clever&acute; trojans... the only way to be sure is to scan your zip files and make sure you have your Virus definitions updated regulary. <BR> <BR> <BR>Anyhow, here is an extract from Symantec.. : <BR> <BR>Distribution: <BR> <BR>Name of attachment: README.EXE (This file may NOT be visible as an attachment in the email received) <BR>Size of attachment: 57344 <BR>Ports: 69 <BR>Shared drives: Opens network shares <BR>Target of infection: Attempts to infect unpatched IIS servers <BR> <BR>Technical description: <BR> <BR>Infection by way of a Web Server <BR> <BR>W32.Nimda.A@mm attempts to infect unpatched Microsoft IIS web servers. On Microsoft IIS 4.0 and 5.0, it is possible to construct a URL that would cause IIS to navigate to any desired folder on the logical drive that contains the web folder structure, and access files in it. A patch and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. <BR> <BR>Successful exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as add, change or delete files or web pages on the compromised server. The limitations of the original vulnerability include: <BR> <BR> <BR>1. The server configuration. The vulnerability only allows files to be accessed if they reside on the same logical drive as the web folders. For example, if a Web administrator had configured the server so that the operating system files were installed on the C drive and the Web folders were installed on the D drive, the attacker would be unable to use the vulnerability to access the operating system files. <BR>2. The attacker must be logged onto the server interactively. <BR>3. The privileges gained would be only those of a locally-logged-on user. The vulnerability only would allow the malicious user to take actions in the context of the IUSR_machinename account. <BR> <BR>However, by using the W32.Nimda.A@mm worm as a delivery mechanism, the attacker is able to compromise a vulnerable IIS server remotely and once compromised, create a local account on the targeted server with administrator privileges regardless of which drive the IIS server is installed on. The worm uses directory traversal techniques to access cmd.exe on unpatched IIS servers. The worm also attempts to use IIS servers that had previously been compromised by CodeRed II to propagate and to access root.exe from the inetpub/scripts directory. <BR> <BR>NOTE: If Norton AntiVirus RealTime protection is detecting files such as &quot;TFTP34%4.txt&quot; as infected with W32.Nimda.A@mm in your inetpub/scripts folder, you may have been previously exposed to CodeRed II. It is recommended that you download and execute the CodeRed removal tool to make sure that your system has been cleaned of the CodeRed II threat. The tool can be found here. <BR> <BR>The worm searches for Web servers using randomly generated IP addresses. Using the Unicode Web Traversal exploit, the worm copies itself to the Web server as admin.dll via TFTP. Infected machines create a listening TFTP server (port 69/UDP) to transfer copy of the worm. <BR> <BR>This file is then executed on the Web server and copied to multiple locations. In addition to this exploit, the worm attempts to exploit already compromised web servers using the files root.exe or cmd.exe that are located in remotely executable web directories. <BR> <BR>The worm then attempts to modify files named default, index, main or readme, or files with the extensions .htm, .html, or .asp, by adding JavaScript. The JavaScript causes visitors who open infected pages to be presented with Readme.eml, which was created by the worm. Readme.eml is an Outlook Express email file with the worm as an attachment. The email messages utilizes the MIME exploit. Thus, a computer may be infected simply by browsing the infected Web page. <BR> <BR>System Modifications <BR> <BR>When executed the worm determines from where it is being executed. The worm then overwrites Mmc.exe in the \Windows folder, or creates a copy of itself in the Windows Temporary folder. <BR> <BR>The worm then infects executables, creates itself as .eml and .nws files, and copies itself as Riched20.dll in folders that contain .doc files on the local drive. The worm searches for files in the paths listed in the registry keys: <BR> <BR>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ <BR>Windows\CurrentVersion\App Paths <BR> <BR>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ <BR>Windows\CurrentVersion\Explorer\Shell Folders <BR> <BR>The worm hooks the system by modifying the System.ini file as follows: <BR> <BR>Shell = explorer.exe load.exe -dontrunold <BR> <BR>It also replaces the file Riched20.dll. Riched20.dll is a legitimate Windows .dll file that is used by programs such as Microsoft Word. By replacing this file, the worm is executed each time programs such as Microsoft Word are executed. <BR> <BR>The worm also registers itself as a service process or adds itself as a remote thread to the Explorer process. This allows the worm to continue to execute even when a user is not actively logged on. <BR> <BR>The worm copies itself as the file: <BR> <BR>%Windows\System%\load.exe <BR> <BR>NOTE: %Windows\System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System) and copies itself to that location <BR> <BR>Next, the worm creates open network shares for all drives on the computer by modifying the registry key: <BR> <BR>HKLM\Software\Microsoft\Windows\ <BR>CurrentVersion\Network\LanMan\[C$ -> Z$] <BR> <BR>A reboot of the computer is required for these settings to take effect. <BR> <BR>The worm searches for all open shares on the network by iterating through Network Neighborhood and by utilizing randomly generated IP addresses. All files on any open network shares are examined for possible infection. All .exe files are infected by the worm except Winzip32.exe. <BR> <BR>Next, .eml and .nws files are copied to the open network shares and the worm copies itself over as Riched20.dll to any folder that contains .doc files. <BR> <BR>The worm changes Explorer settings to not show hidden files and known file extensions. <BR> <BR>The worm adds the user Guest under the groups Guests and Administrators. This gives the guest account Administrative privileges. In addition, the worm actively shares C$ = C:\ No reboot is required. <BR> <BR>Mass-Mailer <BR> <BR>Nimda contains a mass-mailing routine which is executed every 10 days. The worm begins this routine by first searching for email addresses. The worm searches for email addresses in .htm and .html files on the local system. The worm also uses MAPI to iterate through all messages that are contained in any MAPI-compliant email clients. Any MAPI supporting email clients may be affected including Microsoft Outlook and Outlook Express. The worm uses these email address for the To: and the From: addresses. Thus, mail sent from the infected computer will appear to have been sent by the people whose addresses have been found by Nimda, not by the person whose computer is infected. <BR> <BR>The worm uses its own SMTP server to send out emails using the configured DNS entry to obtain a mail server record (MX record). <BR> <BR>When the worm is received by email, the worm uses a old known MIME exploit to auto-execute itself. The worm will be unable to execute using Microsoft Outlook or Outlook Express if the system has been patched against this exploit. Information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp <BR> <BR>Infecting Executables <BR> <BR>The worm also attempts to infect .EXE files. First, the worm checks to see if the file is already infected. If the file is not infected the worm makes a copy of itself in the Temporary directory. The victim file is embedded inside the copy. This new file is then copied over the victim file replacing the originally clean file with an infected version. Infected executables will be approximately 57344 bytes larger. When an infected file is executed, the worm will extract the original clean file to a temporary file and execute it along with itself. Thus, one may not notice their executable has become infected. <BR> <BR>During execution, the worm may attempt to delete copies of itself. If the file is in use or locked, the worm will create the file Wininit.ini with an entry to delete itself upon reboot. <BR> <BR>When infecting files, the worm may create two temporary files in the Windows Temporary folder as: <BR> <BR>mep[nr][nr][letter][nr].TMP.exe <BR>mep[nr][nr][letter][nr].TMP <BR> <BR>Both files will be hidden and have the system attribute set. <BR> <BR>Ports used by this worm are listed below. It should be noted that these are all standard ports. <BR>TCP 25 (SMTP) - used to send email to targets with addresses taken from the compromised client. <BR>TCP 69 (TFTP) - opens port 69/udp for the TFTP transfer of admin.dll for the IIS infection. As part of this protocol it makes outgoing connections to transfer the files. <BR>TCP 80 (HTTP) - uses this port to target vulnerable IIS servers. <BR>TCP 137-139, 445 (NETBIOS) - used in the transmission of the worm. <BR> <BR>Additionally, the worm watches for connections carrying a particular sequence of bytes and then opens a port specified in the incoming connection request. This port is not restricted to any particular range. <BR> <BR>The worm contains bugs and can be resource intensive. Thus, not all actions may occur and system instability may be noticeable. <BR> <BR> <BR>Removal instructions: <BR> <BR>Symantec Security Response has posted a tool to remove infections caused by W32.Nimda.A@mm. Please go here to download the tool. <BR> <BR>NOTE: Once a computer has been attacked by W32.Nimda.A@mm, it is possible that your system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to your system, including but not limited to the following: <BR> <BR> <BR>Stealing or changing passwords or password files <BR>Installing remote-connectivity host software, also known as backdoors <BR>Installing keystroke logging software <BR>Configuring of firewall rules <BR>Stealing of credit card numbers, banking information, personal data, and so on <BR>Deletion or modification of files <BR>Sending of inappropriate or even incriminating material from a customer&acute;s email account <BR>Modifying access rights on user accounts or files <BR>Deleting information from log files to hide such activities <BR> <BR>If you need to be certain that your organization is secure, you must reinstall the operating system, and restore files from a backup that was made before the infection took place, and change all passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator. <BR>

actually.. I still haven&acute;t been able to find this line in the WinXP registry.. hehe <BR> <BR>Shell = explorer.exe load.exe -dontrunold <BR> <BR>where the hell did they put this command!?!? <BR>

Using ActiveX is executable code. Anyway one of Microsoft&acute;s major fuck ups is hiding file extensions by default. And another one is enabling scripting in email (stupid!).

Grim ~ Found this listed here: <BR> <BR>http://www.avien.org/nimda-info.htm <BR> <BR>9. Check system.ini (yes, in Win2K/XP too - it&acute;s not there by default but if someone adds it the system will pay attention to it) for: <BR>&quot;shell=explorer.exe load.exe -dontrunold&quot; (without the quotes) <BR>and delete all after explorer.exe <BR> <BR>There are like 15 steps but that appears to be the last big 1. <BR>