[Fwd: Nimda worm infects through email and web pages AUTOMATICALLY]

Carrol Cox cbcox at ilstu.edu
Thu Sep 20 15:18:25 PDT 2001


-------- Original Message -------- Subject: Nimda worm infects through email and web pages AUTOMATICALLY Date: Thu, 20 Sep 2001 16:55:10 -0400 From: "Jose G. Perez" <jgperez at netzero.net> Reply-To: marxism at lists.panix.com To: marxism at lists.panix.com References: <3.0.1.32.20010920121155.019fbe68 at popserver.panix.com>

----- Original Message ----- From: "Louis Proyect" <lnp3 at panix.com> To: <marxism at lists.panix.com> Sent: Thursday, September 20, 2001 12:11 PM Subject: Re: technical question


>>You never have to fear catching a virus if you simply read an email. The
only way to become infected is to double-click a file contained in the body of the email. Watch out ESPECIALLY if the email is from somebody you don't know.<<

* * *

LOUIS's statement that a virus will not infect you computer unless you open an email or attachment is out of date. THIS worm (Nimda) WILL infect your computer if you a) go to an infected web page or b) allow Internet Explorer to run the html and java scrip code infected pages contain in some other way, like in the preview pane of microsoft outlook and outlook express email programs. NO USER INTERACTION IS REQUIRED. INFECTION IS AUTOMATIC in certain cases (it depends on just which versions of the programs involved you have, security settings, and patches installed).

It works like this:

There is a bug in Microsoft Internet Explorer versions 5 and 5.5 that will allow through javascript and windows scripting for an executable file, i.e., the virus, to run. The file must be misrepresented to the browser as being of a certain data type, and the default program for handling that file needs to be a Microsoft program that can call on windows scripting.

As I understand it, the Nimda worm places javascript within certain web pages and html-formatted emails. Accessed on the web, the javascript launches a new browser window which downloads and plays [or in the email just plays] what the browser it told is a music file. This "music" file is in fact an .exe program. When (at least certain versions of) windows media player see that it has been given the wrong kind of file, it helpfully passes the file on to windows to launch it, and it runs, infecting the computer. AGAIN, THERE IS NO WARNING, NO DIALOGUE BOX, IT IS AUTOMATIC.

This vulnerability has been known for some time, and patches have been available for it through www.windowsupdate.microsoft.com. With patches installed, media player will pop up and give you an error message (because the file is not a media file, but an executable). Just because I'm paranoid, I would recommend the media player dialogue and program be shut down by pressing CTRL-ALT-DEL and force-closing the program, rather than pressing cancel or anything else like that.

Because this vulnerability depends on a chain of Microsoft program "features" and bugs (it is not clear to me, for example, that REAL Java will do this; I suspect you need the Microsoft-polluted "Virtual Machine" version of Java), no practical way had been previously found to exploit it on a truly large scale. Thus the common wisdom that only by executing an attachment could you get an email infection. That wisdom, which Louis repeats and which I'm sure I've also said here or elsewhere, is now OUT OF DATE.

This virus author has COMBINED an exploit of this vulnerability with countless others, including the traditional "I love you"-type email spam generator, Code Red type Microsoft web server-infection mechanisms, and it even looks for the back doors left open by Code Red and Code Red II. For that reason, even though any one mechanism may have been insufficient to create an internet-wide epidemic, and infections would have remained localized and died out, this outbreak is as virulent as they come. The only consolation is that --so far-- no payload other than infecting other computers has been discovered.

IF YOU HAVE RECEIVED AN HTML-FORMATTED BLANK EMAIL, OR AN EMAIL THAT POPPPED UP A BROWSER WINDOW, OR IF YOU WENT TO A WEB SITE TO FIND IT BLANK, OR WITH NONSENSE COMPUTER GOBBLEDYGOOD AS THE CONTENT OR TITLE YOU MAY WELL BE INFECTED.

You should immediately obtain an antivirus program, from a file-sharing network or (if you feel so compelled) from the manufacturer or a store. (Norton I think has a 30-day free trial). Install it and also go to the manufacturer's web site and get the latest virus definitions.

In theory the antivirus will clean your computer in many or all cases, but mostly, it will help prevent reinfection while this virus is so virulently active. But remember the antivirus generals ONLY fight YESTERDAY's wars: most antivirus programs do NOTHING about new viruses UNTIL the programmers have updated the virus definition files AND you have updated and installed the new definitions.

In practice, what I would do is wipe every computer disk drive with program files on it on the network completely blank, save drives with data files ONLY, and reinstall everything. Of course, I'm well set up to do that as I keep several different partitions and do not allow ANY executables on data or media partitions. The partititions WITH executables I have "ghosted" and can restore in a few minutes, so I can easily wipe them clean from a DOS boot. I just don't trust antivirus program claims.

This worm is an extremely aggressive replicator, spreading itself through no fewer than 16 vulnerabilities just on microsoft web servers alone, in addition to the ones found on typical end user computers. Moreover, it turns end user computers into Code Red-type propagators of the worm on a lan and on the internet. In many cases an infection will not activate until a reboot. The files the virus places on other machines on a LAN and throughout your hard drive are admin.dll and readme.exe, but it also adds viral code to other program files, corrupting them. That is why, frankly, I would prefer a reinstall to a Norton "cleaning."

Fortunately the payload is just that --replication-- as far as is known. If it were to be discovered that it had some sort of additional data-corrupting or other aggressive "attack" component, without doubt this would be considered the worst Windows virus outbreak ever. BTW, there is no guarantee that the virus doesn't carry or hasn't been programmed to retrieve and execute such a payload at some point: with this virus on it, your computer has been hijacked, the person(s) who authored the virus can use it for any purpose whatsoever.

Please note that this is NOT an internet or computer worm in general, this a MICROSOFT worm, people who use macs or linux boxes are totally free of danger from this infection.

It is the direct result of Microsoft's campaign to monopolize the software industry: to screw their competitors, they intimately tied in the browser, media player, etc., into the Operating System, utilizing all sorts of undocumented hooks and resources to make the programs work together in ways that Microsoft's competitors had a hard time matching. This is what makes possible things like email spam generating worms, web pages that infect your computers with viruses, web servers that infect other web servers, Microsoft Word macros that can erase all your files and so on.

Please note even if you use another browser, you may be vulnerable, because they are just Internet Explorer in disguise (AOL versions 4-7 especially). Opera, Netscape and Mozilla are not IE; Opera is its own browser and Netscape is really Mozilla + a pretty shell. However countless programs, including all the popular file sharing clients, use web page rendering functionality from the Operating System in their user interfaces: in other words, Internet Explorer. To what degree these "hidden" versions of IE share the vulnerability of the full program I do not know. If you have Windows, assume you're vulnerable.

José

PS: TO THOSE RUNNING MICROSOFT WEB SERVERS ON THEIR OWN:

If you are not sure your server is properly patched and not vulnerable to this worm, please TAKE IT OFF LINE until you are sure the server has been properly patched. Last I heard this required running a service pack or two and some patches, and in a certain order, so if you don't recall having done that, assume your machine is vulnerable.

Leaving vulnerable Microsoft servers on the Internet at this point is like leaving pools of stagnant water where mosquitoes can breed lying around in a country going through a Dengue epidemic. The socially responsible thing to do is to make sure you are not contributing to spreading the infection.

As a practical matter, even with a small network, getting the infection on one means getting the infection on ALL machihnes and you have to clean EVERY MACHINE, so this should be a strong incentive to take your server down.

======= PLEASE clip all extraneous text before replying to a message



More information about the lbo-talk mailing list