(Courriels de diversion: <climatisees@dialectes-haranguees.com> <touchees@inciterons-repertorieront.com> <electifs@guepards-reaffirmerai.com> <reniflerais@lierent-vivoterait.com> <insaisissable@jeunais-engouffrons.com> <metres@fourreurs-retardions.com> <epaula@violentees-combinais.com> <reinvesti@amadouerait-depeigne.com> <rodailler@agrement-crachez.com> <inexpliques@versees-recensera.com> )
de la part de FAVDB attention au html.... ---------- Message transmis ---------- Subject: RE: [linux-31] Fwd: [suse-security] Nimda Worm - BugTraq Date: Thu, 20 Sep 2001 08:46:22 +0200 From: VAN DEN BUSSCHE FA PREF31 <FA.VAN-DEN-BUSSCHE@haute-garonne.pref.gouv.fr>To: "'jdd'" <jdanield@dodin.net> Je ne peux toujours pas poster sur la liste donc je te réponds en direct. Tu pourras ensuite poster sur la liste si tu veux. Il est tout à fait possible de lancer des exécutions directement depuis un client mail M$. Il faut constituer un enchaînement de procédure depuis du code HTML du genre : - code HTML - code VBS ->>> code exécutable soit directement, soit via le prochain reboot (SYSTEM.INI, base de registre ou autre). Les conséquences pour un système non W$ résultent de l'activité engendrée. > -----Original Message----- > From: jdd [mailto:jdanield@dodin.net]> Sent: Wednesday, September 19, 2001 5:43 PM > To: Liste linux-31 > Subject: [linux-31] Fwd: [suse-security] Nimda Worm - BugTraq > > > ci-joint un message qui semble sérieux, en rapport avec le > nouveau ver qui > innonde le web en ce moment. > > le point important est que, d'après ce message, certaines > versions d'internet > explorer et donc de outlook/outlook express seraient capables > de lancer > _automatiquement_ un fichier attaché, dès l'ouverture du message. > > ceci est contraire à mes précédentes informations. > Pouvez-vous me confirmer > ce fait? > > (même si ce ver attaque windows, il aurait fait chuter un > serveur apache par > DOS) > jdd > > ---------- Message transmis ---------- > Subject: [suse-security] Nimda Worm - BugTraq > Date: Wed, 19 Sep 2001 10:01:31 -0400 > From: Sp0oKeR <spooker@bol.com.br>> To: suse-security@suse.com> > > Hey, > > We have been receiving reports of a new worm from a large > number of users. > Instead of deluging BUGTRAQ with traffic more appropriate for > INCIDENTS, > we are posting a summary of the worm and the vulnerabilities > it exploits: > > A new worm named W32/Nimda-A (known aliases are Nimda, > Minda, Concept V, Code Rainbow) began to proliferate the morning of > September 18, 2001 on an extremely large scale that targets > the Microsoft > Windows platform. It attempts to spread via three > mechanisms; as an email > attachment, a web defacement download, and through > exploitation of known > IIS vulnerabilities. Collateral damage include network performance > degradation due to high consumption of bandwidth during the > propagation > process. There have been reports of Apache Servers being > inadvertantly > affected by Nimda by being subjected to a denial of service > condition (the > configuration of these servers is not known). > > This worm takes advantage of multiple vulnerabilities > and backdoors. The worm spreads via e-mail and the web. Through the > e-mail vector, the worm arrives in the users inbox as a message with a > variable subject line. The e-mail contains an attachment named > 'readme.exe'. This worm formats the e-mail in such a way as to take > advantage of a hole in older versions of Internet Explorer. Outlook > mail clients use the Internet Explorer libraries to display > HTML e-mail, > so by extension Outlook and Outlook Express are vulnerable as well, if > Internet Explorer is vulnerable. The hole allows the > readme.exe program > to execute automatically as soon as the e-mail is previewed or read. > > Once it has infected a new victim, it mails copies of itself to other > potential victims, and begins scanning for vulnerable IIS Web servers. > When scanning for vulnerable IIS servers, it attempts to exploit the > Unicode hole (bid 1806) and the escaped characters decoding command > execution vulnerability (bid 2708). It also attempts to access > the system via the root.exe backdoor left by Code Red II. Once it > finds a vulnerable IIS server, it installs itself in such a way that > visitors to the now-infected web site will be sent a copy of a .eml > file, which is a copy of the e-mail that gets sent. If the victim is > using Internet Explorer as their browser, and they are > vulnerable to the > hole, they will execute the readme.exe attachment in the same > way as if > they had viewed an infected e-mail message. > > Attack Data: > > Examination of the worm reveals the following attack strings > used to exploit IIS Web servers. > > '/scripts/..%255c..' > '/_vti_bin/..%255c../..%255c../..%255c..' > '/_mem_bin/..%255c../..%255c../..%255c..' > '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%' > '/scripts/..%c1%1c..' > '/scripts/..%c0%2f..' > '/scripts/..%c0%af..' > '/scripts/..%c1%9c..' > '/scripts/..%%35%63..' > '/scripts/..%%35c..' > '/scripts/..%25%35%63..' > '/scripts/..%252f..' > > To those strings are added /winnt/system32/cmd.exe?/c+dir > > Other attacks include: > > '/scripts/root.exe?/c+dir' > '/MSADC/root.exe?/c+dir' > > It is believed that all of the vulnerabilities exploited by > this worm are > known. > > The links below provide fix information. Administrators and users are > advised to apply patches as soon as possible. If further analysis > concludes that other vulnerabilities are involved, updated information > will be posted to the list. > > See: > > Bugtraq ID: 2524 / CVE ID: CAN-2001-0154 > Microsoft Security Bulletin MS01-020 > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/security/b > ulletin/MS01-020.asp VulDB: http://www.securityfocus.com/bid/2524 > > Bugtraq ID: 2708 / CVE ID: CAN-2001-0333 > Microsoft Security Bulletin MS01-026 > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/security/b > ulletin/MS01-026.asp VulDB: http://www.securityfocus.com/bid/2708 > > Bugtraq ID: 1806 / CVE ID: CVE-2000-0884 > Microsoft Security Bulletin MS00-078 > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > hnet/security/b > ulletin/MS00-078.asp http://www.securityfocus.com/bid/1806 > > Microsoft IIS Lockdown Tool: > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/itsolution s/security/tools/locktool.asp References: Symantec W32.Nimda.A@mmhttp://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html McAfee W32/Nimda@MMhttp://vil.nai.com/vil/virusSummary.asp?virus_k=99209 Sophos W32/Nimda-A http://www.sophos.com/virusinfo/analyses/w32nimdaa.html For discussion of infection or attack attempts, subscribe to the INCIDENTS mailing list. For discussion of the worm itself and others, FORENSICS and FOCUS-VIRUS are more appropriate than BUGTRAQ. --- Dave Ahmad Security Focus www.securityfocus.com ------------------------------------------------------- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.comFor additional commands, e-mail: suse-security-help@suse.com ------------------------------------------------------- -- <http://www.dodin.net> <mailto:jdanield@dodin.net>WHO'S THAT GUY ? Help me found it Russia & South america help needed http://www.dodin.net/serge/index.html --------------------------------------------------------------------- Aide sur la liste: <URL:mailto:linux-31-help@CULTe.org>Le CULTe sur le web: <URL:http://www.CULTe.org/> ------------------------------------------------------- -- <http://www.dodin.net> <mailto:jdanield@dodin.net>WHO'S THAT GUY ? Help me found it Russia & South america help needed http://www.dodin.net/serge/index.html
--------------------------------------------------------------------- Aide sur la liste: <URL:mailto:linux-31-help@CULTe.org>Le CULTe sur le web: <URL:http://www.CULTe.org/>