|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
4 |
 |
Members:
0 |
 |
Total:
4 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:33 PM |
|
|
Additional information, with detailed infection and patching instructions, Courtesy of NT BUG TraQ - (www.ntbugtraq.com):
It appears that:
A) Disabling Javascript/Active Scripting in your browser WILL prevent infection
B) This is HAMMERING the internet.
C) You should seriously consider updating your Internet explorer version to a current service pack level using Windows Update.
Lee Drake
Aztek Computer Solutions, Inc.
39 N. Goodman St.
Rochester, NY 14607
716-242-2060
ldrake@aztekcs.net
Infection vectors;
- -----------------
a) Email as an attachment of MIME audio/x-wav type.
b) By browsing an infected webserver with Javascript execution enabled and using a version of IE vulnerable to the exploits discussed in MS01-020 (e.g. IE 5.0 or IE 5.01 without SP2).
c) Machine to machine in the form of IIS attacks (primarily attempting to exploit vulnerabilities created by the effects of Code Red II, but also vulnerabilities previously patched by MS00-078)
d) Highlighting either a .eml or .nws in Explorer with Active Desktop enabled (W2K/ME/W98 by default) then the THUMBVW.DLL will execute the file and attempt to download the README.EXE referenced in it (depending on your IE version and zone settings).
e) Mapped drives. Any infected machine which has mapped network drives will likely infect all of the files on the mapped drive and its subdirectories
To prevent yourself from being infected;
a) Ensure all IE versions have applied MS01-027 (or are IE 5.01SP2 or above)
b) Disable Active Scripting in IE
c) Ensure all IIS installations have applied MS01-044 (or at the very least MS01-033)
d) Use the CALCS program to modify the permissions on TFTP.EXE to remove all use;
CALCS %systemroot%/system32/tftp.exe /D Everyone
CALCS %systemroot%/system32/tftp.exe /D System
Do the same for CMD.EXE (note, this could be tried with THUMBVM.DLL as well, haven't tried this myself yet)
e) Ensure that TFTP is not permitted out through your network gateway (note that newly infected machines may try and TFTP *internally* from some other infected machine you have on your network)
f) Modify or remove;
HKEY_CLASSES_ROOT\.eml
HKEY_CLASSES_ROOT\.nws
Cleansing information;
- ---------------------
Nimda is viral, so while you can remove various files that it drops it probably will not be cleaned completely by manual means. This means you will have to use your AntiVirus vendor's product to completely cleans.
a) Load.exe dropped as hidden/system file (probably in %systemroot%)
b) Riched20.dll dropped with today's date as hidden/system file.
c) Readme.exe dropped in every directory
d) Admin.dll dropped in /scripts and/or root directories (not the _vti_bin directories of FrontPage)
e) .eml and .nws files dropped in every directory
f) Possibly modified your default home page in web dirs.
g) Infected numerous files (if not all files) with the 56kb
executable.
h) Reports of people having files lumped together into .eml files Check with your AV Vendor regularly for updates to the cleansing programs. I would appreciate any reports from AV Vendors as to how complete they feel their cleaners currently are. I will do an update later tonight based on responses.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|