THIS VIRUS IS REAL AND BAD............
Guest
Posts: n/a
THIS VIRUS IS REAL AND BAD............
------------------------------------------------------------
** VIRUS ALERT - W32/Nimda@MM **
------------------------------------------------------------
McAfee.com has seen a large and growing number of systems
infected with the W32/Nimda@MM. This is a HIGH RISK virus
that is spread via email. W32/Nimda@MM also spreads via open
shares, the Microsoft Web Folder Transversal vulnerability
(also used by W32/CodeBlue), and a Microsoft content-type
spoofing vulnerability.
The email attachment name VARIES and may use the icon for an
Internet Explorer HTML document.
It will also attempt to spread itself as follows:
- The email messages created by the worm include content
that allows the worm to execute the attachment even if
the user does not open it.
- It modifies HTML documents, so that when this infected
window is accessed (locally or remotely), the machine
viewing the page is then infected.
Once infected, your system is used to seek out others to
infect over the Web.
AVERT is currently analyzing this threat and will post more
details online shortly.
** VIRUS ALERT - W32/Nimda@MM **
------------------------------------------------------------
McAfee.com has seen a large and growing number of systems
infected with the W32/Nimda@MM. This is a HIGH RISK virus
that is spread via email. W32/Nimda@MM also spreads via open
shares, the Microsoft Web Folder Transversal vulnerability
(also used by W32/CodeBlue), and a Microsoft content-type
spoofing vulnerability.
The email attachment name VARIES and may use the icon for an
Internet Explorer HTML document.
It will also attempt to spread itself as follows:
- The email messages created by the worm include content
that allows the worm to execute the attachment even if
the user does not open it.
- It modifies HTML documents, so that when this infected
window is accessed (locally or remotely), the machine
viewing the page is then infected.
Once infected, your system is used to seek out others to
infect over the Web.
AVERT is currently analyzing this threat and will post more
details online shortly.
Join Date: Oct 1998
Location: Kalgoorlie, W.A. , Australia
Age: 86
Posts: 458
Likes: 0
Received 0 Likes
on
0 Posts
Was about to email you to make this post mate.
The above was posted from McAfee on Tue, 18 Sep 2001 17:24:51 -0700
As Lame's post's title says this one is for real & more invasive than previous worms.
Moderators please don't move this thread to computers untill everybodies had a chance to see it Thanks.
The above was posted from McAfee on Tue, 18 Sep 2001 17:24:51 -0700
As Lame's post's title says this one is for real & more invasive than previous worms.
Moderators please don't move this thread to computers untill everybodies had a chance to see it Thanks.
Guest
Posts: n/a
TheNightOwl,
No, nothing yet?
From those latest aerial pictures, it appears our apartment block is still standing, so hopefully those people are okay.
Of course many people that we met on a daily basis in the WTC are gone, from the people in the bank, to the people on both the NY and PATH Subways, Chemist and Doctors etc etc, VERY SAD time..........
That is why I was getting a little emotional and upset on those threads the other night, which I now avoid, I just cannot begin to understand how anyone can defend the Monsters that did that to Manhattan.
Best regards,
"lame"
No, nothing yet?
From those latest aerial pictures, it appears our apartment block is still standing, so hopefully those people are okay.
Of course many people that we met on a daily basis in the WTC are gone, from the people in the bank, to the people on both the NY and PATH Subways, Chemist and Doctors etc etc, VERY SAD time..........
That is why I was getting a little emotional and upset on those threads the other night, which I now avoid, I just cannot begin to understand how anyone can defend the Monsters that did that to Manhattan.
Best regards,
"lame"
Guest
Posts: n/a
Turbofan,
You just had to ask?
Now "please explain" it.......
Best regards,
"lame"
This threat can infect all unprotected users of Win9x/NT/2000/ME.
This is a HIGH RISK virus that is spread via email. The infected email can come from addresses that you recognize.W32/Nimda@MM also spreads via open shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft content-type spoofing vulnerability. The email attachment name varies and may use the icon for an Internet Explorer HTML document.
Microsoft Outlook users - we recommend that you disable the Preview Pane. Viewing email messages with the Preview Pane can cause the virus to activate.
Customizing the program file extension list using VirusScan 4.5 (and higher) may result in a lack of protection against this Trojan. As always, AVERT recommends that users configure VirusScan to scan all files. If this is not an option in your environment, the default extension list should be used.
Payload - What can this virus do?
Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable.
It will attempt to spread itself as follows:
The email messages created by the worm specify a content-type of audio/x-wav with an executable attachment type. Thus when a message is accessed, the attachment can be executed even if the user does not open it and without the user's knowledge.
It adds JavaScript code to HTML documents, which opens a new browser window containing the infectious email message itself (taken from the dropped file README.EML). When this infected window is accessed (locally or remotely), the machine viewing the page is then infected.
It creates network shares for each local drive as %$ (where % = the drive letter that is being shared). On Win9x/ME system this is configured as a full share with no password. On WinNT/2K system the user GUEST is given permission to the share and added to the group ADMINISTRATORS as well as GUESTS. A reboot is required in order for these shares to get created. When the virus finds an open share, it copies itself to each folder on the drive in .EML format as described later on in this description. This can include the START UP folder.
The worm scans IP addresses looking for IIS servers to infect via the Web Folder Transversal vulnerability by sending a malformed GET request. This causes vulnerable machines to initiate a TFTP session to download ADMIN.DLL from the machine that sent the request. Once downloaded the remote system is instructed to execute the DLL that infects that machine. In the event that the TFTP session fails to connect, multiple files (TFTP*) are created in the WINDOWS TEMP directory. These files are simply copies of the worm.
It tries to use the backdoor created by W32/CodeRed.c to infect.
.EXE files are prepended with the worm code.
Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents. The worm then sends itself to these addresses with either no subject line or a subject line containing a partial registry key path.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.
It may copy itself to the WINDOWS SYSTEM directory as LOAD.EXE and create a SYSTEM.INI entry to load itself at startup:
Shell=explorer.exe load.exe -dontrunold
Additional information:
- A MIME encoded version of the worm is created in each folder on the system (often as README.EML or DESKTOP.EML, can also be .NWS files). This can create a lot of files and in some cases even fill up a hard disk.
- The WININIT.INI file may be used to delete specific worm files upon reboot:
NUL=C
WINDOWS\TEMP\MEP52b0.TMP.exe
- Registry key values are created/changed to hide files:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowSuperHidden
- A registry key branch is deleted to remove share security under WinNT/2K
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\Share\Security
- The worm saves a copy of itself to C, D, and E as ADMIN.DLL
Note: a valid ADMIN.DLL does exist and is part of the Microsoft FrontPage Server Extentsions functionality
- Filenames for the worm include: ADMIN.DLL, LOAD.EXE, MMC.EXE, README.EXE, RICHED20.DLL, MEP*.TMP.EXE
Note: applications which utilize the rich text format, such as Microsoft Word and Wordpad, call this RICHED20.DLL file. As such, the worm is executed when a dependant program is run. There is typically a valid RICHED20.DLL file in the WINDOWS SYSTEM directory, but this is overwriten by the virus.
Note: MMC.EXE is the name for the Microsoft Management Console application. It has been reported that the worm can in fact overwrite this file.
The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001 R.P.China
You just had to ask?
Now "please explain" it.......
Best regards,
"lame"
This threat can infect all unprotected users of Win9x/NT/2000/ME.
This is a HIGH RISK virus that is spread via email. The infected email can come from addresses that you recognize.W32/Nimda@MM also spreads via open shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft content-type spoofing vulnerability. The email attachment name varies and may use the icon for an Internet Explorer HTML document.
Microsoft Outlook users - we recommend that you disable the Preview Pane. Viewing email messages with the Preview Pane can cause the virus to activate.
Customizing the program file extension list using VirusScan 4.5 (and higher) may result in a lack of protection against this Trojan. As always, AVERT recommends that users configure VirusScan to scan all files. If this is not an option in your environment, the default extension list should be used.
Payload - What can this virus do?
Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable.
It will attempt to spread itself as follows:
The email messages created by the worm specify a content-type of audio/x-wav with an executable attachment type. Thus when a message is accessed, the attachment can be executed even if the user does not open it and without the user's knowledge.
It adds JavaScript code to HTML documents, which opens a new browser window containing the infectious email message itself (taken from the dropped file README.EML). When this infected window is accessed (locally or remotely), the machine viewing the page is then infected.
It creates network shares for each local drive as %$ (where % = the drive letter that is being shared). On Win9x/ME system this is configured as a full share with no password. On WinNT/2K system the user GUEST is given permission to the share and added to the group ADMINISTRATORS as well as GUESTS. A reboot is required in order for these shares to get created. When the virus finds an open share, it copies itself to each folder on the drive in .EML format as described later on in this description. This can include the START UP folder.
The worm scans IP addresses looking for IIS servers to infect via the Web Folder Transversal vulnerability by sending a malformed GET request. This causes vulnerable machines to initiate a TFTP session to download ADMIN.DLL from the machine that sent the request. Once downloaded the remote system is instructed to execute the DLL that infects that machine. In the event that the TFTP session fails to connect, multiple files (TFTP*) are created in the WINDOWS TEMP directory. These files are simply copies of the worm.
It tries to use the backdoor created by W32/CodeRed.c to infect.
.EXE files are prepended with the worm code.
Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents. The worm then sends itself to these addresses with either no subject line or a subject line containing a partial registry key path.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.
It may copy itself to the WINDOWS SYSTEM directory as LOAD.EXE and create a SYSTEM.INI entry to load itself at startup:
Shell=explorer.exe load.exe -dontrunold
Additional information:
- A MIME encoded version of the worm is created in each folder on the system (often as README.EML or DESKTOP.EML, can also be .NWS files). This can create a lot of files and in some cases even fill up a hard disk.
- The WININIT.INI file may be used to delete specific worm files upon reboot:
NUL=C
WINDOWS\TEMP\MEP52b0.TMP.exe- Registry key values are created/changed to hide files:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\ShowSuperHidden
- A registry key branch is deleted to remove share security under WinNT/2K
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\Share\Security
- The worm saves a copy of itself to C
, D, and E as ADMIN.DLLNote: a valid ADMIN.DLL does exist and is part of the Microsoft FrontPage Server Extentsions functionality
- Filenames for the worm include: ADMIN.DLL, LOAD.EXE, MMC.EXE, README.EXE, RICHED20.DLL, MEP*.TMP.EXE
Note: applications which utilize the rich text format, such as Microsoft Word and Wordpad, call this RICHED20.DLL file. As such, the worm is executed when a dependant program is run. There is typically a valid RICHED20.DLL file in the WINDOWS SYSTEM directory, but this is overwriten by the virus.
Note: MMC.EXE is the name for the Microsoft Management Console application. It has been reported that the worm can in fact overwrite this file.
The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001 R.P.China
Join Date: Mar 2001
Posts: 190
Likes: 0
Received 0 Likes
on
0 Posts
For those of you using McAfee, Sdat 4160 dated 18 Sept 01 detects and removes this one.
Available at McAfee Virusscan Update page
Note this is only for McAfee users.
Snooze
Available at McAfee Virusscan Update page
Note this is only for McAfee users.
Snooze
Join Date: Apr 2000
Location: Devonport Tasmania Australia
Posts: 1,837
Likes: 0
Received 0 Likes
on
0 Posts
Also FYI fellow PPRubers - Norton also seems to predict and shut this one down.
Do a live update- NOW
It hit 3 times at work today and thank God- no damage.
Best as always
EWL
Do a live update- NOW
It hit 3 times at work today and thank God- no damage.
Best as always
EWL
