Mrcorp.Net Security

NIMDA WORM

Description

On September 18th, this worm was first reported. It attempts to infect by one of the three methods below:

" Email: It attempts to infect others by sending copies of the worm via email.
" Servers: Infected machines look for web servers to infect as well as exploiting IIS servers. Once a web server is infected, it will attempt to infect any user who visits it.
" File Shares: Infected machines look for other machines that allow anyone to write information to and will write the infection to them.

Protection
EMAIL
The worm sends copies of itself to email addresses found in your inbox and the address book as an attachment called readme.exe. The attachment is actually encoded as a MIME "multipart-alternative" message with two sections. The first section is defined as MIME type "text/html", and the second section is defined as MIME type "audio/x-wav". The second section actually contains the malicious executable file. Simply opening the infected email itself is enough to infect your machine, eliminating the need for users to have to open the attachments. This happens because the worm MIME encodes the attachment to take advantage of a known vulnerability called "Automatic Execution of Embedded MIME Types". Microsoft's Outlook and Outlook Express are the most typical victims.

Recommendation
Upgrade to the following:
IE 5.01 Service Pack 2
IE 5.5 Service Pack 2
IE 6
Or, apply the security patch to IE 5.01 and 5.5 pre-service pack 2. This patch can be located at: http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

IIS
The worm looks for and attacks IIS 4 and IIS 5 servers. It looks for two different vulnerabilities. First it looks for the Code Red II worm has infected its target. The reason for this is that Code Red II creates a backdoor to the system, and if Nimda finds that Code Red II has infected the target, it will use Code Red's back door to infect the target.
The second vulnerability it checks for is the "Web Server Folder Traversal" vulnerability.

Recommendation
We have to now consider two vulnerabilities on our servers. So to fix the Code Red II back door hole, see the following Microsoft fixes:
" MS01-033 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp
" MS01-044 - http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
" Security Rollup package for NT 4 - http://www.microsoft.com/ntserver/nts/downloads/critical/q299444/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D31240%26redirect%3Dno
" IIS Lockdown Tool - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
" URL Scan Tool - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/URLscan.asp

For the "Web Server Folder Traversal" vulnerability, apply the following:
" Install Service pack 2 for Windows 2000
" Security Rollup package for NT 4 - http://www.microsoft.com/ntserver/nts/downloads/critical/q299444/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D31240%26redirect%3Dno
" IIS Lockdown Tool - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
" URL Scan Tool - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/URLscan.asp
" MS00-057 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-057.asp
" MS00-078 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-078.asp
" MS00-86 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-086.asp

File Shares
The worm will try to spread itself through file shares. By default, windows only allows authorized users to access files on the system. However, if a trusted user has authorization and is infected, this can be an infection method.

Recommendation
" Remove unnecessary file shares
" Remove unnecessary user access
" Strong password on the Administrator account