|
Step-by-Step Infection Routine:
Windows NT/2000 IIS Server infection
- Downloads a file, ADMIN.DLL, using tftp. (The file is contained on another infected server, which has scanned and found a susceptible system).
- Activates the guest account and adds it to the Local Admin group.
- Shares C$
- Copies itself to C, D, and E drives
- Mass-mails itself using SMTP to any email addresses found on the system
- Creates README.EXE file
- Modifies the .htm, .html, and .asp files to include malicious javascript responsible for auto-downloading the README.EXE file to site visitors.
- Copies sample.nws, sample.eml, desktop.eml, desktop.nws (all of which contain the README.EXE file) to each shared directory.
- Infects other .EXE files on the system.
- Begins scanning for other vulnerable servers to infect. Once found, the above process repeats on the newly discovered server.
Windows 95/98/NT/2000 PCs
- User receives infected file, README.EXE, via email. In unpatched Outlook and Outlook Express mail clients, the email attachment automatically executes when the user opens the email (Outlook) or simply previews it (Outlook Express); or
- User visits an infected web site and on unpatched systems the README.EXE file is automatically downloaded and executed; or
- On patched systems, the user receives the README.EXE file either via email or the web and opens it.
- The worm then copies itself into the Windows\System directory with the name LOAD.EXE
- The worm copies over the library RICHED20.DLL, modifying itself to be loaded as a DLL (Dinamically Link Library). This DLL is used by applications that work with Richedit Text Format such as Wordpad.
- Modifies the [boot] section of the SYSTEM.INI
shell=explorer.exe load.exe -dontrunold
Effectively adding a thread to Explorer.exe and allowing the worm to be reloaded upon reboots.
- Infects other .EXE files on the system.
- Mass-mails via SMTP to email addresses found on the user's system.
- Also attempts spread via the Unicode Web Traversal exploit in a similar fashion as the CodeBlue worm. (CodeBlue is a variant of CodeRed).
Necessary patches
Nimda takes advantage of numerous, and known, security vulnerabilities. Web servers running Microsoft IIS should immediately patch their systems with the August 2001 roll-up patch:
Microsoft Security Bulletin (MS01-044)
Internet Explorer 5.01 and 5.50 users should immediately patch their systems with the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment security patch released May 25, 2001:
Microsoft Security Bulletin (MS01-020)
Outlook and Outlook Express clients should be configured to use the Restricted Sites Zone. Details for configuring security settings in these mail clients can be found in the Email Help Center.
Browser security settings should be set to highest security (in Internet Explorer, the Restricted Sites Zone), to prevent file downloads from occuring automatically.
Next page > Manual Removal Instructions > Page 1, 2, 3
|
