DialogueScience, Inc., informs. Nimda new virus

DialogueScience, Inc. informs

Heavy storm in the Internet. During last two days the new network worm "Nimda" created an unbelievable epidemic.

The new and extremely dangerous network worm "Nimda" was detected in the network in the evening 18 September, but as early as 19 September morning thousands of infected computers were already registered all over the world. As per the DialogueScience's information this new worm has already infected thousands of computers in the Russian Internet segment, and the speed of the Nimda worm spreading does not seem to decrease. It looks like the Internet suffers a heavy storm and there's no way to give even an approximate number of those affected.
The Nimda worm definition had been added to the Doctor Web virus database during the night between the 18 and 19 September. The "hot" update had been released simultaneously and was made available for download from the DialogueScience server: http://www.antivir.ru/dsav/english/add-on/drwtoday.zip
DialogueScience strongly recommends the following preventive steps in order to fight the Nimda threat:

most important - to use the latest version of the Doctor Web Antivirus and to have it updated often enough (at least on the daily basis)
to install the latest security patches for Windows OS, Microsoft Outlook Express, Internet Explorer and Internet Information Services (IIS). It is also advisable to set the Internet Explorer security level to the highest possible ("High") position.
Below please find the detailed technical information about the "Nimda" virus

Win32.HLLW.Nimda.57344

An extremely dangerous worm. Replicates itself in WinNT/Win2k/Win9x operating systems' environments. The virus is capable to infect both IIS (Internet Information Server) 4/5 and client workstations.

Upon launching of an infected file the virus in the first place verifies whether the active copy of the same virus is present in the computer's memory. Upon finding such copy the virus terminates its activity. Otherwise the virus detects the file type it was activated from and, provided the activation happened from the infected file (not from the virus file-dropper containing nothing but the actual virus code), it creates the similar file with almost the same name but for the extra space at the end, i.e.

TEST.EXE => TEST .EXE

(if the virus was launched from the network drive, it creates a temporary file with a random name in the temporary folder); upon doing so the virus extracts the contents of the original file using its own resources to the created temporary file and then launches it.

After that the virus creates its own replica in the temporary folder and launches it with the "-dontrunold" parameter in the command line, marks the launched file as to be deleted on the next system restart (through WININIT.INI file in Win9x or by calling up an appropriate API function in WinNT/2k); the virus attempts with the 1/5 probability to delete all "README*.EXE" files in the temporary folder (the virus employs the Internet Explorer's mistake for its own replication, therefore virus copies in such files would otherwise get accumulated in the temporary folder) and, upon doing it, the first virus copy terminates its activity.

The launched virus copy creates one more replica of its own with a random name in the temporary folder and attempts to clean up its own resources section by removing the still present (possibly) original parent file. Win9x systems do not employ appropriate mechanisms for working with system resources, so such an attempt can be successful in WinNT/2k systems only. After that the virus scans TCP/IP settings for all registered network interfaces and attempts to detect the DNS server address. If successful, the virus saves the address to its proprietary code and writes it directly to the previously created temporary virus file. After that the virus creates its own template file, which contains the specific virus code in MIME format. Later on the template file will be used to send out virus replicas via E-mail. Upon doing it the virus performs one of the two following actions depending on the computer operating systems: either tries to imbed its copy in the EXPLORER system process (WinNT/2k), or registers its own process as a service one, removing it from the tasks list. After that the virus starts up its main reproduction process.

Upon 30 seconds of waiting the virus receives the host-machine name, its IP-address, launches its own TFTP server realization (port 69/udp) as a separate thread in WinNT/2k system. This TFTP server realization will deliver upon request the contents of the virus file to the client's side and will generate either 60 (workstation) or 200 (server) threads to scan and attack vulnerable IIS servers. No such attacks are attempted by the virus in Win9x environment.

To attack IIS servers the virus employs the "Microsoft IIS CGI Filename Decode Error Vulnerability" (May 2001), "Microsoft IIS Unicode Bug" vulnerability (December 2000), as well as attempts to utilize the servers vulnerability created by CodeRedII and sadmind/IIS worms' intrusion.

If the attack succeeds, the remote server initiates a TFTP-session with the attacking host and the virus transfers its own code, which is copied to the ADMIN.dll file, is launched, writes its own copy to the file %windows%\mmc.exe and restarts it.

After that in a Win9x system the virus creates its copy in the %WINDOWS%\LOAD.EXE and %WINDOWS%\RICHED20.DLL with read-only, hidden and system attributes and, finally, registers LOAD.EXE to the Shell parameter of the SYSTEM.INI file - this way the virus will be activated upon each system restart.

Under the WinNT/2k system the virus scans folders down to the fourth level on all drives, looking for DEFAULT, INDEX, MAIN files and, with a certain degree of probability, readme files with .ASP, .HTM, .HTML extension. Upon locating such files the virus copies the previously created virus MIME template to the README.EML file in the target folder and adds a small script to the contents of files found. Thus upon attempting to open the modified file Web-browser will open the virus file README.EML in a new window. This way the virus removes main pages from the Web-server and automatically activates the virus in the page visitor's Internet Explorer Web-browser, provided the browser has got a security "whole" which is used by the virus. If so, the virus will be activated on the visitor's computer as will be described below.

After that (under WinNT/2k only) the virus obtains from the Registry the list of registered applications and tries to infect all their *.EXE files - the virus moves the original file contents to the virus's own resources section and substitutes visible virus icon with the one belonging to the original file.

Further on the virus performs searching for and infecting files on the available registered network resources (WinNT/2k) or opens local drives for the full password-free network access (Win9x). All folders are being worked on:

all *.EXE files are infected (except WINZIP32.EXE)
if the folder contains a file with .EML, .NWS or .DOC extension, the virus copies to the folder its replica with the RICHED20.DLL name. The RICHED20.DLL is used by many applications (including MS Outlook and MS Office) to work with Reach Edit Controls, therefore upon an attempt to open the file in the folder MS Outlook or MS Office will be launched and will try to load a RICHED20.DLL library in the process of initialization (provided the library is not loaded yet). The system routinely starts searching for the loadable library from the current folder contents, therefore the virus replica will be loaded instead of the original library
upon detecting .EML or .NWS files the virus can (with a certain degree of probability) create its copy in the same folder. The virus copy (a MIME template) usually is given a name of one of the files from "My Documents" folder, but with the .EML or .NWS extension.

After that the virus tries to use MAPI functions to determine the address of the host SMTP server, as well as list of addresses both from the Address Book and cashed HTML files, and attempts to send out virus copies to those addresses. The virus copies to be send out are in the form of a specially prepared HTML-message with the readme.exe file attached. Usually the file size is 57344 bytes, but it can be bigger if the virus started from the infected file and was not able to remove the original file's contents from its own resources section. The message is composed in such a way that upon its opening with the Internet Explorer or by the programs which use the Internet Explorer to view HTML files (Outlook, Outlook Express) the attached file is launched automatically. This Internet Explorer's vulnerability ("Incorrect MIME header") had been detected in March 2001.

Further on the virus modifies the Explorer settings - switches off "show hidden files and file extensions" view mode and (in WinNT/2k) enables the Guest account, adds Guest user to the Administrators group, allocates an empty password to this account and opens all local drives for a full network access.

After that the virus tries out IP-addresses of a random range, attempting to access write-enabled network resources and distribute its own copies the way we already described.

Having performed all these manipulations the virus pauses for about 3 minutes and than starts the whole cycle all over again.

The virus contains a text string:

Concept Virus(CV) V.5, Copyright(C)2001  R.P.China

This particular virus can be considered an extremely dangerous one, as it attempts to use a wide range of vulnerabilities to attack and replicate. The virus can reproduce itself in different ways, thus repeatedly attacking cured, but still vulnerable systems. Therefore we strongly advise to install the latest security updates for Windows operating systems.

Cumulative patch for IIS Servers:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

E-mail clients "Incorrect MIME header" vulnerability patch:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

September 20, 2001

DialogueScience Information Service
http://www.antivir.ru
E-mail: Antivir@antivir.ru

Some other interesting viruses