Nimda worm infects through email and web pages AUTOMATICALLY

Jose G. Perez jgperez at netzero.net
Thu Sep 20 14:55:10 MDT 2001


----- Original Message -----
From: "Louis Proyect" <lnp3 at panix.com>
To: <marxism at lists.panix.com>
Sent: Thursday, September 20, 2001 12:11 PM
Subject: Re: technical question

>>You never have to fear catching a virus if you simply read an email. The
only way to become infected is to double-click a file contained in the body
of the email. Watch out ESPECIALLY if the email is from somebody you don't
know.<<

*  *  *

    LOUIS's statement that a virus will not infect you computer unless you
open an email or attachment is out of date. THIS worm (Nimda) WILL infect
your computer if you a) go to an infected web page or b) allow Internet
Explorer to run the html and java scrip code infected pages contain in some
other way, like in the preview pane of microsoft outlook and outlook express
email programs. NO USER INTERACTION IS REQUIRED. INFECTION IS AUTOMATIC in
certain cases (it depends on just which versions of the programs involved
you have, security settings, and patches installed).

    It works like this:

    There is a bug in Microsoft Internet Explorer versions 5 and 5.5 that
will allow through javascript and windows scripting for an executable file,
i.e., the virus, to run. The file must be misrepresented to the browser as
being of a certain data type, and the default program for handling that file
needs to be a Microsoft program that can call on windows scripting.

    As I understand it, the Nimda worm places javascript within certain web
pages and html-formatted emails. Accessed on the web, the javascript
launches a new browser window which downloads and plays [or in the email
just plays] what the browser it told is a music file. This "music" file is
in fact an .exe program. When (at least certain versions of) windows media
player see that it has been given the wrong kind of file, it helpfully
passes the file on to windows to launch it, and it runs, infecting the
computer. AGAIN, THERE IS NO WARNING, NO DIALOGUE BOX, IT IS AUTOMATIC.

    This vulnerability has been known for some time, and patches have been
available for it through www.windowsupdate.microsoft.com. With patches
installed, media player will pop up and give you an error message (because
the file is not a media file, but an executable). Just because I'm paranoid,
I would recommend the media player dialogue and program be shut down by
pressing CTRL-ALT-DEL and force-closing the program, rather than pressing
cancel or anything else like that.

    Because this vulnerability depends on a chain of Microsoft program
"features" and bugs (it is not clear to me, for example, that REAL Java will
do this; I suspect you need the Microsoft-polluted "Virtual Machine" version
of Java), no practical way had been previously found to exploit it on a
truly large scale. Thus the common wisdom that only by executing an
attachment could you get an email infection. That wisdom, which Louis
repeats and which I'm sure I've also said here or elsewhere, is now OUT OF
DATE.

    This virus author has COMBINED an exploit of this vulnerability with
countless others, including the traditional "I love you"-type email spam
generator, Code Red type Microsoft web server-infection mechanisms, and it
even looks for the back doors left open by Code Red and Code Red II. For
that reason, even though any one mechanism may have been insufficient to
create an internet-wide epidemic, and infections would have remained
localized and died out, this outbreak is as virulent as they come. The only
consolation is that --so far-- no payload other than infecting other
computers has been discovered.

IF YOU HAVE RECEIVED AN HTML-FORMATTED BLANK EMAIL, OR AN EMAIL THAT POPPPED
UP A BROWSER WINDOW, OR IF YOU WENT TO A WEB SITE TO FIND IT BLANK, OR WITH
NONSENSE COMPUTER GOBBLEDYGOOD AS THE CONTENT OR TITLE YOU MAY WELL BE
INFECTED.

You should immediately obtain an antivirus program, from a file-sharing
network or (if you feel so compelled) from the manufacturer or a store.
(Norton I think has a 30-day free trial). Install it and also go to the
manufacturer's web site and get the latest virus definitions.

In theory the antivirus will clean your computer in many or all cases, but
mostly, it will help prevent reinfection while this virus is so virulently
active. But remember the antivirus generals ONLY fight YESTERDAY's wars:
most antivirus programs do NOTHING about new viruses UNTIL the programmers
have updated the virus definition files AND you have updated and installed
the new definitions.

In practice, what I would do is wipe every computer disk drive with program
files on it on the network completely blank, save drives with data files
ONLY,  and reinstall everything. Of course, I'm well set up to do that as I
keep several different partitions and do not allow ANY executables on data
or media partitions. The partititions WITH executables I have "ghosted" and
can restore in a few minutes, so I can easily wipe them clean from a DOS
boot. I just don't trust antivirus program claims.

This worm is an extremely aggressive replicator, spreading itself through no
fewer than 16 vulnerabilities just on microsoft web servers alone, in
addition to the ones found on typical end user computers. Moreover, it turns
end user computers into Code Red-type propagators of the worm on a lan and
on the internet. In many cases an infection will not activate until a
reboot. The files the virus places on other machines on a LAN and throughout
your hard drive are admin.dll and readme.exe, but it also adds viral code to
other program files, corrupting them. That is why, frankly, I would prefer a
reinstall to a Norton "cleaning."

Fortunately the payload is just that --replication-- as far as is known. If
it were to be discovered that it had some sort of additional data-corrupting
or other aggressive "attack" component, without doubt this would be
considered the worst Windows virus outbreak ever. BTW, there is no guarantee
that the virus doesn't carry or hasn't been programmed to retrieve and
execute such a payload at some point: with this virus on it, your computer
has been hijacked, the person(s) who authored the virus can use it for any
purpose whatsoever.

Please note that this is NOT an internet or computer worm in general, this a
MICROSOFT worm, people who use macs or linux boxes are totally free of
danger from this infection.

It is the direct result of Microsoft's campaign to monopolize the software
industry: to screw their competitors, they intimately tied in the browser,
media player, etc., into the Operating System, utilizing all sorts of
undocumented hooks and resources to make the programs work together in ways
that Microsoft's competitors had a hard time matching. This is what makes
possible things like email spam generating worms, web pages that infect your
computers with viruses, web servers that infect other web servers, Microsoft
Word macros that can erase all your files and so on.

Please note even if you use another browser, you may be vulnerable, because
they are just Internet Explorer in disguise (AOL versions 4-7 especially).
Opera, Netscape and Mozilla are not IE; Opera is its own browser and
Netscape is really Mozilla + a pretty shell. However countless programs,
including all the popular file sharing clients, use web page rendering
functionality from the Operating System in their user interfaces: in other
words, Internet Explorer. To what degree these "hidden" versions of IE share
the vulnerability of the full program I do not know. If you have Windows,
assume you're vulnerable.

José

PS: TO THOSE RUNNING MICROSOFT WEB SERVERS ON THEIR OWN:

If you are not sure your server is properly patched and not vulnerable to
this worm, please TAKE IT OFF LINE until you are sure the server has been
properly patched. Last I heard this required running a service pack or two
and some patches, and in a certain order, so if you don't recall having done
that, assume your machine is vulnerable.

Leaving vulnerable Microsoft servers on the Internet at this point is like
leaving pools of stagnant water where mosquitoes can breed lying around in a
country going through a Dengue epidemic. The socially responsible thing to
do is to make sure you are not contributing to spreading the infection.

As a practical matter, even with a small network, getting the infection on
one means getting the infection on ALL machihnes and you have to clean EVERY
MACHINE, so this should be a strong incentive to take your server down.






=======
PLEASE clip all extraneous text before replying to a message



More information about the Marxism mailing list