[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[connect24h:04711] Re: How to remove Nimda

To: connect24h@xxxxxxxxxxxxxxxxxxxx
Subject: [connect24h:04711] Re: How to remove Nimda
From: Koga Youichirou <y-koga@xxxxxxxxxxxxxxxx>
Date: Thu, 20 Sep 2001 10:40:05 +0900 (JST)
"HATO Kunio" <hato@xxxxxxxxxxxxxxxx>:
> Nimda に感染してしまった場合、感染した PC をネットワークから切り離した状
> 態で、駆除する方法はあるのでしょうか? 

確実かどうかは分かりませんが、incidents ML に次のように出ていました。
ご参考まで。

# AV: anti virus ですね。

> Message-Id: <50D01D71BB8CD411AD850000D11B4B45B1CA63@xxxxxxxxxxxxxxxxxxxxxx>
> Subject: NIMDA Removal
> From: Isherwood Jeff C Contr AFRL/IFOSS <Jeffrey.Isherwood@xxxxxxxxx>
> To: incidents@xxxxxxxxxxxxxxxxx
> Cc: vuln-dev@xxxxxxxxxxxxxxxxx
> Date: Wed, 19 Sep 2001 10:48:15 -0400
> 
> Now that everyone has had a chance to look at it (I'm sure many folks
> captured live copies of this bugger).
> 
> AV Sites around the world are coming out with tools to fix and remove it.  I
> hate those tools.
> 
> Sat down and went over everything this one does, based on the live sample
> and data on the list, as well as a few contributions from other sources.  I
> think I've got it all down now.
> 
> Did I miss anything?
- snip -
> Removal:
> 
> Step 1) Cleaning up your registry keys, since it reg-hacks to hide itself, make sure you do this one FIRST.
> 	The worm adjusts the properties of Windows Explorer, it accesses the following keys	and adjusts them to affect system  ability to show hidden files (mostly Win2K &ME), infected files will not be seen by the Explorer.
> 
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
> 
> 	Registry key values are created/changed to hide files:
> 	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
> 	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
> 	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden 
> 
> 	The worm tries to create this key:
> [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces]
> 
> 	The worm also deletes all subkeys from this key to disable sharing security:
> [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security]
> [HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\lanmanserver\Share\Security]
> 	 
> Step 2) Remove "loader" settings to disable autorun on boot.
>    It modifies the SYSTEM.INI file in order to activate itself on every startup,
>    remove this line from SYSTEM.INI file and reboot the computer: 
>         [boot] 
>         shell=explorer.exe load.exe -dontrunold
> 
> Step 3) Remove the payload files.  When executed, virus copies itself into several the Windows system directories.  These files have system and hidden attributes set.  It will overwrite any original files if they already exist.
> 	Delete all the "worm dropping" files (original files which have been overwritten should be restored from backup)
> 		MMC.EXE (in Windows directory, MS Mgmt Console - looks like worm can overwrite this file)
> 		LOAD.EXE (in Windows' system directory)
> 		RICHED20.DLL (in Windows' system directory)
> 		ADMIN.DLL (in root folder of all local hard drives C:\, D:\, and E:\ etc...)
>    	      WININIT.INI (in Windows directory)
> 	Also scan all local hard drives for any hidden RICHED20.DLL files and delete them. 
> 	Replace a clean RICHED20.DLL to system32 folder.
> 
> 	The worm also copies itself to the Temporary directory with random MEP*.TMP and MA*.TMP.EXE names, for example: 
> 		mep01A2.TMP
> 		p1A0.TMP.exe
> 		pE002.TMP.exe
> 		pE003.TMP.exe
> 		pE004.TMP
> 		README.EXE
> 		root.exe
> 
> 	To be safe, delete all files with .TMP extension from your local temporary directories:
> 		\Temp\
> 		\Windows\Temp\
> 		\documents and settings\username\local settings\temp
> 
> (from f-secure)
> The worm enumerates shared network resources and recursively scan files on remote systems. If the worm finds an .EXE file on a remote system, it reads the file, deletes it and then writes a new file where the worm body is placed first and the original EXE file is present as a resource. Later when this affected file will be run, the worm will extract the EXE file resource and run it. The worm checks the file name for 'WinZip32.exe' and doesn't affect this file if it is found. 
> 
> The worm accesses [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths] key reads subkeys from there and affects all files listed in the subkeys the same way it does affect remote EXE files (see above). The worm doesn't only infect WinZip32.exe file. Also the worm reads user's personal folders from [Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] key and infects files in these folders as well. 
> 
> Step 4) REBOOT
> 
> Step 5) Removing infected message files.
>        Delete all .EML files generated by the virus.
>        It creates .EML (mostly) or .NWS (occasionally) files with randomly selected names.
> 
> Step 6) Fixing Winzip
> 	 Completely REMOVE WINZIP from the system and Re-install after reboot.
> 
> Step 6) Cleaning the HTML Files.
> 	Check all *.HTML, *.ASP, and *.HTM as well as files that have 'DEFAULT',
> 	'INDEX', 'MAIN' and 'README' words in their filenames for the small JavaScript
> 	code referring to README.EML file and remove it or restore the affected files
> 	from a backup. This JavaScript code is located in the very end of affected files.
> 
> 	Search for file types above containing readme.eml, but pay close attention to the following default file names:
> 		index.html
> 		index.htm 
> 		index.asp 
> 		readme.html 
> 		readme.htm 
> 		readme.asp 
> 		main.html 
> 		main.htm 
> 		main.asp 
> 		default.html 
> 		default.htm 
> 		default.asp
> 
> Step 7) Removing Admin rights from GUEST.
> 	Check if the GUEST account is in the ADMINITRATORS group; if yes, remove it from the group
> 
> Step 8) Fixing Shares.
> 	check the sharing of the local disks & remove unnecessary shares, the virus enables
> 	admin shares on infected systems.  To be safe, remove all shares from all local hard
> 	drives and renew these shares with correct access rights if needed. This needs to be
> 	done because the worm affects share security. Check especially the \\localhost\c$ share rights.
> 
> Step 9) FIX THAT HOLE.
> 	Apply the MS patches.
> 		Internet Explorer 5.01: http://www.microsoft.com/windows/ie/download/critical/q295106/default.asp 
> 		Internet Explorer 5.5: http://www.microsoft.com/windows/ie/download/critical/q299618/default.asp 
> 
> 		Microsoft IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp 
> 		Microsoft IIS 5.0: http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp 

> In-Reply-To: <50D01D71BB8CD411AD850000D11B4B45B1CA63@xxxxxxxxxxxxxxxxxxxxxx>
> Message-Id: <Pine.LNX.4.33.0109191902430.362-100000@xxxxxxxxxxxxxxxxxxxxxxx>
> Subject: Re: NIMDA Removal
> From: Johannes Verelst <johannes@xxxxxxxxxxx>
> To: Isherwood Jeff C Contr AFRL/IFOSS <Jeffrey.Isherwood@xxxxxxxxx>
> Cc: <incidents@xxxxxxxxxxxxxxxxx>, <vuln-dev@xxxxxxxxxxxxxxxxx>
> Date: Wed, 19 Sep 2001 19:04:42 +0200 (MEST)
> 
> On Wed, 19 Sep 2001, Isherwood Jeff C Contr AFRL/IFOSS wrote:
> > Now that everyone has had a chance to look at it (I'm sure many folks
> > captured live copies of this bugger).
> 
> You say the following in your advisory:
> 
> Search for file types above containing readme.eml, but pay close
> attention to the following default file names:
>                 index.html
>                 index.htm
> ...
> 
> On our systems (web development machines with hundreds of HTML/ASP pages)
> all the files were infected, so EDIT ALL YOUR ASP/HTML FILES!!!!!
> 
> Yes, I must stress this once again:
> 
> EDIT ALL YOUR ASP/HTML FILES!!!!!
> 
> You can use the MicroSoft 'find' function to find all files that have the
> string 'readme.eml' in them to find all infected HTML/ASP files.
> 
> Kind regards,
> 
> Johannes Verelst
> -- 
> Unix is simple. It just takes a genius to understand its simplicity
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
----
こがよういちろう

------------------------------------------------------------------------
　　　　　　　　 ニュース速報！　はインフォシークで！！
　　　　 http://www.infoseek.co.jp/Home?pg=Home.html&svx=971122
Follow-Ups:
- [connect24h:04722] Re: How to remove Nimda
  - From: 永江純
References:
- [connect24h:04691] nimda
  - From: hama
- [connect24h:04692] Re: nimda
  - From: hama
- [connect24h:04706] How to remove Nimda (Re: nimda)
  - From: HATO Kunio
Prev by Date: [connect24h:04710] Re: CodeRed 関係だと思うのですが
Next by Date: [connect24h:04712] Re: How to remove Nimda
Previous by thread: [connect24h:04709] Re: How to remove Nimda (Re: nimda)
Next by thread: [connect24h:04722] Re: How to remove Nimda
Index(es):
- Date
- Thread