Subject: LockDown Security Bulletin - 09/19/2001 Danger Extremely High Risk Factor - W32.Nimda.A@mm aka Concept Virus(CV) V.5
Date: Tue, 18 Sep 2001 15:07:49 -0400

LockDown Security Bulletin - 09/19/2001

W32.Nimda.A@mm aka Concept Virus(CV) V.5

Danger Extremely High Risk Factor

You can forward this to a friend or have him visit
http://lockdowncorp.com/w32.nimda@mm.html for this latest

Today we spent some time with a customer on a telephone technical 
support call that had become infected with this new Worm. After 
getting an idea of what we were looking at and the activity of the 
Worm we infected one of our Laboratory machines with it by visiting 
our customer's web site, which he put back online for a few moments at 
our request, in order for us to see how this Worm works and to be able 
to see its method of infection and the created files.

On visiting the web site with Internet Explorer 5.5, a pop up window
appeared after the main page loaded entitled ReadMe.eml This file was 
immediately copied to the Windows Temp dir and executed using the 
exploit :

html><script language="JavaScript">window.open("readme.eml", null,

The Web Server we visited was an IIS Web Server running on Windows NT4 
Svc Pack 5 and had been recently patched during the height of CodeRed 
and had not been affected by CodeRed. The Worm when active, rapidly 
uses CPU and drains nearly all system resources trying to spread 

(1.) It uses the Unicode Web Traversal exploit to spread itself to 
exploitable IIS Web Servers. It finds hosts by scanning for 
exploitable machines and trying multiple Unicode exploits. This method 
of infection is likely to claim the most victims and spread this Worm 
the fastest. It copies itself as Admin.dll and is executed remotely
by the infecting machine. More about this exploit can be found at

Once it has infected a machine, it also modifies *.html, *.htm and
*.asp files and adds the above JavaScript popup window code to the 
end of the file. This will then infect any visitor to the site using 
Internet Explorer 5.5, which is not updated or offer visitors with safe 
browsers the ReadMe.eml file. The Worm is MIME encoded when downloaded.

(2.) Nimda Worm also creates Unpassworded and Hidden Fileshares on the 
host computer. From the activity we witnessed during testing in the 
Laboratory, it created a Fileshare for each existing drive after A:\ 
and B:\. On our Laboratory machine it created C$, D$, E$, F$ and G$ 
including the CD Rom. Even after cleaning up the infection, fileshares
are left open leaving, the victim wide open to secondary infections of 
almost anything anybody wants to put there or infect by the many 
existing worms that exploit open fileshares.

(3.) The Worm also searches for network shares and infects them by
overwriting legitimate files on the system, such as Mmc.exe. The
machine we recovered files from had 4 incidences of Mmc.exe running at
once and the CPU usage was up at 100%, suggesting a high level of 
activity from propogation and scanning or bugs in the code, causing a 
memory leak.

(4.) The other method of travel this Worm uses is spreading itself by 
Email. Similar to SirCam, it creates it's own SMTP Server (Simple Mail 
Transfer Protocol) to send Email to any Email addresses it finds in 
the OutLook Express Inbox. The Worm is sent out with the Email as an 
attachment inside and is not a visible attachment. In Outlook
Express, you would not see a paper clip signifying the existence of an 
attachment on receiving a Nimda Worm infected Email. Once the Email is 
opened, the attachment does not show on the Email. The attached 
pretends to be a sound file and generates a number of different random 
subjects for the sent mail.

The file copies itself to various locations and copies into the 
Temporary Directory as Mep2091.tmp.exe or more accurately as 
Mep*.tmp.exe as the number after the Mep is randomly generated.

The Worm will also overwrite Riched20.dll and this file will need 
replacing with a clean copy for certain applications to work. Anything 
calling this file would reinfect the machine. Created on a Windows 98 
machine in the System Folder was Load.exe and ReadMe.exe.

On NT/Win2k it created Mmc.exe and ReadMe.exe

The System.ini is changed in the Shell= Line to Shell = explorer.exe
load.exe -dontrunold and needs to be changed back to only show Shell
= explorer.exe


This Worm, despite popular belief still appears to infect IIS servers
that have run the latest update security patches but this does not
necessarily mean they became infected via an IIS vulnerability and it
is very possible that they were infected through their browser or by
opening an email and possibly even an open fileshare. The size of
the files created are 57,344 bytes and you should look for recently
created or modified files and clean all *.html, *.htm or *.asp
documents. LockDown did detect and remove the System.ini entries and
detected the files as new Internet servers and aided a quick cleanup
without knowing the Worm by name. The signatures to detect this by
name, are in our signature updates. In advanced mode the
unpassworded fileshares were also detected and able to be removed.
The files Admin.dll, Mmc.exe & Riched20.dll must be deleted and
replaced with clean copies if infected.

Notice: A NEW security bulletin is due out by the end of next week!
Don't let yourself or your friends miss out on this important
news article, which will include some of the following information:

Add your friend's email addresses to the list and make sure that you
are also included.

You can check your status or add a friend by clicking on:

- Detailed overview on IRC Bots, Worms, and IRC Trojans
- Interviews with known hackers
- Interviews with IRC Operators
- FREE Security Programs

We are just in the process of putting the whole article together with
all the supporting interviews and images and it should be ready by the
end of next week. We have covered the whole issue of IRC Related DDOS
Trojans and their capabilities and how they are manipulated and spread.

This is a totally factual article with much supporting evidence that
is bound to shock a few people. We have fully stuck with supported
facts without going into flights of wild hysteria and supposition in
order to make this article a useful reference to the security
community and the public. Not only have we verified all information
from our sources but we have also put it to the test under strict
laboratory conditions to emulate the results.

We hope you will find the forthcoming article both useful and
informative as a reference. We will also address and try to answer any
questions that may arise from the article. We hope to see you all next
week where we will also be announcing some great free security
programs to help prevent this problem. Many people have requested that
we offered such a service and we have listened to them and brought
their ideas and suggestions to reality. We also see it as our public
responsibility to help inform people of the risks and how to lower the
risk. Stay tuned for late breaking news on the free products.