Wednesday, September 23, 2009

Computer Virus-(NIMDA & ILOVEYOU VIRUS)

    1. NIMDA VIRUS

    · is a computer worm, and is also a file infector.
    · It quickly spread, eclipsing the economic damage caused by past outbreaks such as Code Red.
    · Multiple propagation vectors allowed becoming the Internet’s most widespread virus/worm within 22 minutes.
    · The worm was released on September 18, 2001. Due to the release date, some media quickly began speculating a link between the virus and Al Qaeda, though this theory ended up proving unfounded.
    · affected both user workstations (clients) running Windows 95, 98, Me, NT, 2000 or XP and servers running Windows NT and 2000.
    · The worm's name spelled backwards is "admin".F-Secure found the text[2] "Concept Virus(CV) V.5, Copyright(C)2001 R.P.China" in the Nimda code.
    · one of the more complex virus/worm constructs released.
    · It infects files, spreads itself via E-mail, spreads via Web sites, and spreads via local area network exploits.
    · It infects all versions of Windows from Win95 through Win2000 as well as Microsoft's IIS.
    · credited with several "firsts" in its infection techniques.
    · It is the first beast to infect .EXE files by embedding them into itself as a resource.
    · It also infects Web pages so unsecured browsers will infect upon viewing the Web page.
    · the first worm to use any user's computer to scan a network for vulnerable machines behind a firewall to attack (in the past only infected servers did that).

    Methods of infection
    uses five different infection     vectors:
    1) e-mail
    2) open network shares
    3) browsing of compromised web sites
    4) exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. (Both Code Red, and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server.) via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.

    Nimda uses these methods to spread:
    1) from client to client through E-mail and an infected .EXE file
    2) from client to client through open network shares
    3) from web server to client through browsing of compromised Web sites
    4) from client to Web server through active scanning for and exploitation of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
    5) from client to Web server through scanning for the back doors left behind by the "Code Red II" and "sadmind/IIS" worms.

    · File Infection

    In one mode, It acts like any standard file infector with a new twist. It searches for .EXE files and adds them to itself as a resource. When the .EXE file on a server downloads it then spread the beast. If the file is on a local computer, sharing that file can also spread the beast. When an infected file is run the worm extracts the original program and runs it. It attempts to delete this file after it finishes but cannot always do this. In that instance it creates WININIT.INI with commands to delete the file the next time Windows starts.

    Nimda finds .EXE files to infect by searching the keys
    1) [SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths],
    2) Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders], and all subkeys.
    3) trangely, WINZIP32.EXE is not infected.

    · E-mail Worm

    It searches your E-mail client address book(s) and HTML files on your computer for E-mail addresses and then sends itself to these addresses in an attached file. An E-mail from the worm comes as a "multipart/alternative" message with two sections. The first is defined as MIME type "text/html", but contains no text (the message appears empty).
    The second is defined as MIME type "audio/x-wav", but contains a base64-encoded attachment named README.EXE, which is a program. Many users can be tricked into opening such attachments and any mail software running on Windows that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the attachment and infects the machine. (both bad practices!). Nimda uses its own SMTP server to send E-mail messages.

    · Web Worm

    Using one of the known exploits listed above, It scans the Internet for Microsoft IIS Web servers. When a server is found, if it has open security holes, the worm enters and modifies random Web pages on the server (as well as .EXE files found on the server). The modifications allow the worm to spread to users simply browsing the infected site. To do this, it searches drives for .HTML, .ASP, and .HTM files. When found, it adds a small JavaScript snippet to the end of the files. This code opens a file named README.EML when loaded by a Web browser. README.EML is another form of the worm (MIME-encoded) deposited into directories where the .HTML file were found. Browsers not patched (see MIME exploit above) will automatically execute this file with no user input. Users will not see the worm running as it runs in a minimized window.

    · File Share Propagation

    Infected computers on a local network will search for other computers with open file shares. When found, it will transfer a hidden/system file (RICHED20.DLL) onto the other computer in any directory where .DOC or .EML files are found. After that, if any of these files are opened in Word, Wordpad, or Outlook the hidden RICHED20.DLL file will also be automatically executed. This will infect the that computer. It will try to replace the Windows RICHED20.DLL master file and will place .EML (and sometimes .NWS) files into folders it accesses.

    NIMDA RUNS IN EVERY PERSONAL COMPUTER
    Nimda usually shows up as a README.EXE attachment to an E-mail, but can show up as any .EXE file with over five characters in the rootname.
    1) first copies itself to a temporary directory with a random name of the form MEP*.TMP (where * represents random characters).
    2) It then runs itself from that folder using the command line option "-dontrunold").
    3) The first thing the launcher does when running is to see if it has enough resources to run the main worm.
    4) If so, it extracts itself from the infected .EXE file and executes. Using the current time and some arithmetic operations the worm determines if it can delete files from the temporary folder.
    5) Once that is done, the worm builds its primary infection tool: a MIME-encoded copy of itself and multi-part message that can be attached to.
    6) This latter is given a random name and stored in a temporary directory. Now it's ready to get to work.
    7) Nimda next looks for the process called "Explorer."
    8) it opens this process and assigns itself to a remote thread under Explorer.
    9) If that fails the worm uses API information to get needed information about the local computer. Then, it rests.
    10) When it wakes up Nimda checks to see what operating system it's running on.
    11) If NT-based, it compacts itself and copies itself out to LOAD.EXE in the Windows\System folder. The SYSTEM.INI file is then modified to start with the shell EXPLORER.EXE (as usual) but with "LOAD.EXE - dontrunold" as well. This assures the worm will run at each system start.
    12) the worm copies itself to RICHED20.DLL, also in the System folder, and sets the file to hidden and system.
    13) When this is already done Nimda looks for shared network resources and starts to scan files on remote computers. Here it's looking for .DOC and .EML files and, when found, RICHED20.DLL is copied to their directory so it will be run when an OLE component is needed on the remote computer.
    14) then starts the infection process on the remote computer.
    15) While looking around the remote computer Nimda also copies infected .EML and (sometimes) .NWS files with names similar to HTML files already found on that remote computer. These files can also infect the remote computer if accessed.
    16) Using the IP address of the infected computer, the worm searches for IIS servers to infect using a known backdoor (a patch is available, see the notes at the start of this page). The idea is that if the current computer is not properly protected then other local computers may not be as well so 50% of the probes (approximately) will be using near-by IP addresses.
    Some other things the worm does...
    1) It modifies the key [Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] so that hidden files are no longer seen. This hides the worm in Explorer.
    2) It adds the account "guest" to an infected system and gives it Administrator and Guests group priviledges. Using this it shares the C:\ drive with full access privileges.
    3) It deletes subkeys from the key [SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security] which effectively disables sharing security.

    2. I LOVE YOU VIRUS

    • was a computer worm that hit numerous computers in 2000, when it was sent as an attachment to an email message with the text "ILOVEYOU" in the subject line.
    • The worm arrived in e-mail boxes on May 4, 2000, with the simple subject of "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.TXT.vbs".
    • Upon opening the attachment, the worm sent a copy of itself to everyone in the user's address list, posing as the user.
    • It also made a number of malicious changes to the user's system.
    • Such propagation mechanism had been well known (though in IBM mainframe rather than in the MS Windows environment) and used already in the Christmas Tree EXEC of 1987, which brought down a large fraction of the world's mainframes at the time.
    • The newly discovered "I Love You" virus that swept through banks, securities firms, and Web companies in the United States Thursday and later spawned copycat viruses has proved in large part to be more of an annoyance than a costly disruption of business.
    • The virus did cause damage, however, at companies that make heavy use of multimedia files, such as magazines and advertising agencies, because it overwrites picture files with "jpg" extensions and MP3 music files.
    • VBS/LoveLetter is a VB Script uses Microsoft outlook and Mirc clients to spread. It is spreading faster than Melissa virus. It causes heavy e-mail traffic and downs many mail servers. The new variant VBS/NewLove charges deadly payload and it will damage all files in the system.

    Two aspects of the worm made it effective:

    • It relied on social engineering to entice users to open the attachment and ensure its continued propagation.
    • It exploited the weakness of the email system design that an attached program could be run easily by simply opening the attachment; the underlying mechanism – VBScript – had not been exploited to such a degree previously to direct attention to its potential, thus the necessary layers of protection were not yet in place.

    CREATORS / MAKERS OF I LOVE YOU VIRUS

    • The alleged authors of the worm were reported to be Filipinos.
    • Siblings Irene and Onel de Guzman of Manila; Irene's boyfriend, Reomel Lamores, who was briefly held in May 2000 in connection with the worm outbreak; and Michael Buenafe, a fellow student of de Guzman at AMA.
    • Onel finally came forward but denied writing the worm, although he said he may have inadvertently been responsible for its release.
    • As there were no laws in the Philippines against malware-writing at the time, he was released and in August the prosecutors dropped all charges against him.
    • The original charges brought up against her dealt with the illegal use of passwords for credit card and bank transactions.
      Architecture of the Worm
    • The virus is written using Microsoft Visual Basic Scripting (VBS), and requires that the end-user run the script in order to deliver its payload.
    • It will add a set of registry keys to the Windows registry that will allow the malware to start up at every boot.
    • The worm will then search all drives which are connected to the infected computer and replace files with the extensions *.JPG, *.JPEG, *.VBS, *.VBE, *.JS, *.JSE, *.CSS, *.WSH, *.SCT, *.DOC *.HTA with copies of itself, while appending to the file name a .VBS. extension.
    • The worm will also locate *.MP3 and *.MP2 files, and when found, make the files hidden, copy itself with the same filename and append a .VBS extension.
    • The worm propagates by sending out copies of itself to all entries in the Microsoft Outlook address book.
    • It also has an additional component, in which it will download and execute an infected program called variously "WIN-BUGSFIX.EXE" or "Microsoftv25.exe".
    • This is a password-stealing program which will e-mail cached passwords.

    Effects

    • The worm began in the Philippines on May 4, 2000, and spread across the world in one day (traveling from Hong-Kong to Europe to the United States), causing about $5.5 billion in damage.
    • By 13 May 2000, 50 million infections had been reported.
    • Most of the "damage" was the labor of getting rid of the worm.
    • The Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the worm, as did most large corporations.
    • This particular malware caused widespread damage.
    • The worm overwrote important files, as well as music, multimedia and more, with a copy of itself.
    • It also sent the worm to everyone on a user's contact list.
    • Because it was written in Visual Basic Script, this particular worm only affected computers running the Microsoft Windows operating system. While any other computer accessing e-mail could receive an "ILOVEYOU" e-mail, only Microsoft Windows systems would be infected.

    How I love you Virus spreading out?

    • Its massive spread moved westward arrived in the offices in a messages form or because the worm used mailing lists as its source of targets, the messages often appeared to come from an acquaintance and might be considered "safe", providing further incentive to open them. All it took was a few users at each site to access the VBS attachment to generate the thousands and thousands of e-mails that would cripple e-mail systems under their weight, not to mention overwrite thousands of files on workstations and accessible servers.

    TO BE CONTINUE...........

    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)