Zastonj programi
Varnost na internetu
Igre in zabavni programi
Nimda Virus
|
BOLHA
- bolšji sejem |
Dan D za župcino hišo strahov je bil osemnajstega septembra 2001.
Ne vem, koliko vas je fasalo virus od brskanja po Župci.
Upam, da ne veliko in da ste se že rešili nadloge.
Župco smo zaradi čiščenja virusa in zaradi preprečitve širjenja virusa,
za nekaj časa odklopili.
Vsem, ki so prebrali, da nimajo dostopa do Župce, moram povedati, da se
niso Župci nič zamerili in ni bil Župca nič hud nanje :).
Virusa smo se menda znebili in sedaj je zopet vse vredu.
Verjamem, da imajo vsi antivirusni programi narejene update za Nimda A
virus, obstajajo pa tudi samostojni programi, ki vas rešijo te nadloge.
Takšen je tudi antinimda.exe,
program, ki vam pregleda in počisti računalnik.
Verjetno ste že v različnih medijih veliko brali in poslušali o virusu
NIMDA A, tako da se ne bom posebej trudil s to temo.
Važno je, da imate najnovejši antivirusni program in nove verzije explorerja,
ker lahko še vedno na kakšni internet strani fašeš nimdo:)
povezave:
http://24ur.com/naslovnica/znanostintehnika/20010919_52628.php
http://www.ealaddin.com/home/csrt/analysis.asp?virus_no=10087
Tole pa je e-mail od InoculateIT Personal Edition Support
Detection and cleaning for Win32.Nimda.A will be in virus update 1506
or higher. Please check our website for the latest virus update file.
A description of Win32.Nimda can be found below:
Win32.Nimda worm (Also known as W32/Nimda@MM)
Nimda.A is an Internet worm spreading via a number of different methods
and exploiting several known vulnerabilities in Internet Explorer and
IIS systems. It also works as a file virus infecting Win32 Portable Executable
programs as well as files with extensions: html htm asp.
This worm may enter a system in the following ways:
via an HTML e-mail with a specifically constructed MIME header;
by visiting a Web site hosted on an infected system;
via open network shares;
via unpatched IIS systems (both 4.0 and 5.0).
When a user views an HTML e-mail carrying the worm or visits an infected
Web
site Internet Explorer may launch the attached program executing the
Nimda.A
code (from the program: readme.exe). This is due to the "Incorrect
MIME Header" vulnerability in Microsoft Internet Explorer 5.01 and
5.5. For a detailed description of this security hole and links to the
appropriate patches please visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
The worm may also exploit the following HTTP security loopholes in systems
running Microsoft IIS:
Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
The worm finds vulnerable Internet Servers via randomly selected IP addresses.
The address generation and scanning is performed by the process named
mmc.exe (the file mmc.exe is overwritten by the worm with its own copy).
Users of affected Win NT/2000 systems may experience a significant deterioration
of their system performance when the mmc.exe process is running. Additionally
the worm copies itself as Admin.dll to the root directories of all accessible
drives (the worm marks Admin.dll as a true DLL).
Once the worm gets access to a victim machines files it searches all directories
and infects htm asp and html files by adding a one line JavaScript code.
In every directory with successfully infected files the worm drops its
own code in the MIME format as readme.eml or readme.nws.
The worm is executed from within these MIME files when an infected htm*
or asp file is opened.
The worm infects Win32 PE programs (except Winzip32.exe) by prepending
its code and modifying its resources so that the infected programs use
the same icons as the original programs.
On affected Win9x systems in order to run on the next reboot the worm
copies itself as load.exe into the Windows System directory and modifies
the system.ini file:
Shell=explorer.exe load.exe -dontrunold
Nimda.A may also copy itself under the name used by one of the legitimate
Microsoft libraries; riched20.dll.
Note: In order to avoid infection by browsing infected web pages Active
Scripting can be disabled in Internet Explorer.
Detection for this virus/worm has been added to the following virus engine/virus
signature combination. Install this update or later to ensure protection:
CA Antivirus Solution Engine/Signature
InocuLAN / InoculateIT 4.x 28.06
eTrust InoculateIT 6.0 / eTrust Antivirus 6.0 23.46.06
eTrust EZ Antivirus / IPE 5.3/1502
VET 10.3/1502
Instructions for manual cleaning of Win32.Nimda.A infection.
Cleaning details (for experienced IT professionals)
Before proceeding with the cleaning process please read the following
instructions very carefully.
Caution: Please note that these instructions have been developed to assist
experienced IT professionals who have considerable knowledge of and experience
using the operating systems affected by this virus. We recommend that
extreme care be exercised when making any amendments to the registry and
strongly suggest that you create a backup of your registry settings before
commencing.
Ensure the network is unreachable (unplugging a network cable removing
or suspending network drivers).
Scan all available drivers thoroughly for infected executables and any
remains of the worm using the latest signature updates of InoculateIT.
Make sure that all files are scanned regardless of the extension.
Ensure all files which were detected with the worm but marked unclean
are renamed and quarantined in a separate directory.
Stop the following processes (which are indicative of the worm): MMC.EXE
LOAD.EXE README.EXE MEP*.TMP.EXE
Search for and delete the following list of files (should they have not
been deleted by your Antivirus scanner):
MMC.EXE found in Windows directory
LOAD.EXE found in Windows system directory
ADMIN.DLL located in the root folder of all local hard drives
RICHED20.DLL which could be found on all folders on all local hard drives.
Check that any files with extensions .eml and .nws found containing the
worm are deleted.
Restore a clean RICHED20.DLL file to \Windows\System\ or \WinNT\System32\
folder.
Note: This is a legitimate Microsoft DLL used by applications such as
Microsoft Word that incorporate the Rich Text format.
Confirm that SYSTEM.INI file in your Windows directory has "shell=explorer.exe"
string instead of "shell=explorer.exe load.exe -dontrunold".
Delete all files with .TMP extensions from your local temporary folder.
Ensure that all the shares on the specified computer have the correct
access rights. The worm attempts to change to low security levels making
these hidden shares accessible to everyone. Verify all default shares
*$.
Check the following registry security settings for modifications:
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$-Z$]
On Win2000:
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
Remove Guest account and renew it with correct access rights and group
placement (Guest account should not be in Administrators group).
Ensure *.htm *.html *.asp files do not reference readme.eml or readme.nws
file within their respective code - the following line is appended:
<html><script language="JavaScript">window.open("readme.eml"
null
"resizable=notop=6000left=6000")</script></html>
Restore the network connections and reboot the system.
Simon Austin
Systems Engineer
InoculateIT Personal Edition Support
Če ti kaj ni jasno in bi želel še kakšno informacijo, mi postavi vprašanje
v forumu ali kar na
vebmojstr@zupca.net.
Bogdan Renko
