From: John Ives (jives@uclink4.berkeley.edu)
Date: Wed Sep 19 2001 - 23:29:13 PDT
Not to speak for SNS, but I'ld say the answer should be yes. Finding
root.exe, means that your system had been opened up to many other
attacks. In essence root.exe is a command prompt on your server with
access by anyone on the Internet.
There are two relevant cautions Microsoft makes about the
CodeRedCleanup.exe tool at
http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp
(BTW: the of caps is Microsoft's idea not mine)
"IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO
ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS OF
THE WORM – IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER ATTACKS
MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED.
"WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE CODE RED II
WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER
OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE
REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE. IN
ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN PUT AT RISK BY
THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE REBUILT RATHER THAN
BEING PLACED BACK INTO SERVICE. "
Yours,
John Ives
At 10:36 PM 9/19/2001 -0700, International & Area Studies wrote:
>After updates are applied, is there anything else we should do? McAffee
>is catching and deleting the Nimda virus on one of our servers. I did
>find the root.exe on the same server. I used the Code Red cleanup utility
>to erase it. It can be found at the following site...
>http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878
>(If you do this, be sure and restart www publishing services afterwards)
>Does this mean I should still rebuild the whole system?
>Thanks for info.
>BG
>
>At 11:41 AM 9/19/01 -0700, Sherry M. Rogers wrote:
>
>
>> ALERT: NIMDA Worm
>>
>>The "Nimda Worm" was released yesterday, September 18, and has spread
>>aggressively through the Internet using multiple mechanisms. Its ultimate
>>purpose seems to be to create an Internet-wide Denial of Service by
>>consuming network bandwidth.
>>
>>When a host is infected, however, so many files are changed that it needs
>>to be rebuilt from secure media (CD).
>>
>>Details about the Nimda Worm can be found at:
>> http://www.cert.org/advisories/CA-2001-26.html or at
>> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
>>
>>
>>=> The Nimda worm has the potential to affect both user workstations
>> (clients) running Windows 95, 98, ME, NT, or 2000 and servers running
>> Windows NT and 2000.
>>
>>=> It can spread:
>>
>> * from client to client via email
>>
>> * from client to client via open network shares
>>
>> * from web server to client via browsing of compromised web sites
>>
>> * from client to web server via active scanning for and exploitation
>> of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
>> (VU #111677)
>>
>> * from client to web server via scanning for the back doors left
>> behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS"
>> (CA-2001-11) worms
>>
>>
>>=> Prevention Measures: End Users
>>
>> * update your virus software with latest code: see links below
>>
>> * do not open any unknown or unexpected email attachments,
>> particularly anything entitled README.exe
>>
>> * do not use Internet Explorer (IE) to read email unless it has been
>> patched (without the patch the attachment will automatically
>> be run):
>> http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
>>
>> * do not use Outlook Express to read email - it has been reported
>> that it will automatically execute the code on preview
>>
>> * Disable JavaScript before browsing the Web
>>
>>
>>=> Prevention Measures: System Administrators:
>>
>> * make sure all IIS maintenance has been applied:
>> http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
>>
>> * apply patch for the IE vulnerability:
>> http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
>>
>> * disconnect any infected machines immediately
>>
>> * to determine if your system has been compromised, look
>> for the following:
>>
>> - root.exe artifact (indicates a compromise by Code Red II
>> or sadmind/IIS worms making the system vulnerable to the Nimda
>> worm)
>>
>> - admin.dll artifact or unexpected .eml files in the directories
>> with web content (indicates compromise by the Nimda worm)
>>
>>
>>Antivirus Vendor Information
>>
>> Central Command, Inc.
>> http://support.centralcommand.com/cgi-bin/command.cfg/php/endus
>> er/std_adp.php?p_refno=010918-000005
>>
>> Command Software Systems
>> http://www.commandsoftware.com/virus/nimda.html
>>
>> Data Fellows Corp
>> http://www.datafellows.com/v-descs/nimda.shtml
>>
>> McAfee
>> http://vil.mcafee.com/dispVirus.asp?virus_k=99209&
>>
>> Sophos
>> http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
>>
>> Symantec
>> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
>>
>> Trend Micro
>> http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=
>> TROJ_NIMDA.A
>>
>> http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.
>> asp?VName=TROJ_NIMDA.A
>>
>> You may wish to visit the CERT/CC's computer virus resources page
>> located at
>>
>> http://www.cert.org/other_sources/viruses.html
>>
>>
>>-System & Network Security
>>
>>-------------------------------------------------------------------------
>>Sherry M. Rogers University of California, Berkeley
>>System & Network Security phone (510)642-7157
>>-------------------------------------------------------------------------
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>------------------------------------------------------------------------
>>The following was automatically added to this message by the list server:
>>
>>For information about Micronet, its meetings and events, and its
>>mailing list, including information on subscribing and unsubscribing,
>>see the Micronet Web site at <http://wss.berkeley.edu/micronet/>.
>
>
>----------------------------------------------------------------------
>Computing Support Services iascss@uclink.berkeley.edu
>International and Area Studies voice: (510) 642-2522
>University of California, Berkeley fax: (510) 642-9466
> http://www.ias.berkeley.edu
>----------------------------------------------------------------------
-------------------------------------------------
Systems Administrator
College of Chemistry
(510) 643-1033
Any opinions expressed are my own and not those of the Regents of the
University of California.
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://wss.berkeley.edu/webnet/>.
This archive was generated by hypermail 2b29 : Wed Sep 19 2001 - 23:31:41 PDT