1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. W32 Nimda Share Propagation 2

W32 Nimda Share Propagation 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

W32.Nimda.E@mm is a mass-mailing worm that utilizes multiple methods to spread itself.

Additional Information

The worm takes advantage of a vulnerability in Microsoft Internet Information Services (IIS) that could enable a remote user to execute arbitrary commands. This is due to the handling of CGI file name program requests.

By default, IIS performs two seperate actions on CGI requests. The first action decodes the file name to determine the file type (ie. .exe, .com, etc.) and the legitimacy of the file. IIS then carries out a security check. The final process decodes the CGI parameters, which determines whether the file will be processed or not.

The final process includes an undocumented third action. Not only does IIS identify the supplied CGI parameters, but it also decodes the previously security check approved CGI file name. Therefore, if a file name composed of escaped characters passes the security check, the second process will unescape the escaped characters contained in the file name, revealing the intended actions. Depending on what the escaped characters represent, varying actions may be performed. For example,
'..%255c' represents '..\', so decoding '..%255c' to '..\' could leverage directory traversal attacks.

The method by which this vulnerability is exploited could allow the execution of arbitrary commands.

It should be noted that these requests are fulfilled in the context of the IUSR_machinename account.

An attacker exploiting this vulnerability may be able to gain access to the host with these privileges. It may be possible for the attacker to gain further privileges and completely compromise the system from this point.

It has been reported that various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.

It has also been reported that Personal Web Server 1.0 and 3.0 is vulnerable to this issue.

The worm Nimda (and variants) actively exploit this vulnerability. Nimda sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS Web servers, and is a virus infecting both local files and files on remote network shares. The worm uses the Unicode Web Traversal exploit to spread to victims surfing an already infected Web server. If you visit a compromised Web server, you will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. When the worm arrives by email the worm uses a MIME exploit, allowing the virus to be executed just by reading or previewing the file.

Affected

  • Microsoft IIS 3.0, 4.0, 5.0
  • Microsoft Personal Web Server 1.0, 3.0

Response

Refer to the following link for more information about the worm itself and possible fixtools against it:
Symantec Write-up for W32.Nimda.A@mm

Patches are available for IIS.

For Microsoft IIS 4.0:
Microsoft Patch Q295534
http://download.microsoft.com/download/winntsp/Patch/q293826/NT4/EN-US/Q295534i.exe
Microsoft Patch Q295534
http://download.microsoft.com/download/winntsp/Patch/q293826/NT4/EN-US/Q295534is.exe

Install both IIS 4.0 patches.

For Microsoft IIS 5.0:
Microsoft Patch Q293826
http://download.microsoft.com/download/win2000platform/Patch/q293826/NT5/EN-US/Q293826_W2K_SP3_x86_en.EXE
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube