================================================ Subject: Virus Warning for Windows NT and 2000 running IIS Servers From: "]\\[][G}{T§TÖ®]v[" To: Date: Tue 7 Aug 2001 12:52:29 -0400 ================================================ This one doesn't affect all of you, but I know that some only use the list while at work, and it is to these people that this warning is mostly directed towards... -NightStorm TAKEN FROM http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=CODERED.C CODERED.C Aliases: CODERED, HBC, W32/CodeRed.C Risk rating: Medium Destructive: N Description: This worm is similar to two variants of CodeRed (http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=CODERED.A) in that it also makes use of a remote-buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that can give system level privileges to an attacker. It drops a backdoor Trojan on an infected Web server, giving an attacker full access to this Web server thereby compromising network security. This worm poses no risk to Windows 95, 98, and ME users. Windows NT and 2000 users who do not have Microsoft's IIS Web Server installed are also at no risk. This worm only affects computers running Microsoft IIS that have not been patched with the Microsoft MS01-033 patch. Solution: 1. Clean this worm from your system using Trend Micro's fix tool (http://www.antivirus.com/vinfo/security/fixcodec.zip). You may open a command prompt and execute this tool or directly double-click the tool to execute it from your browser. 2. System administrators of Web servers using Microsoft Windows NT 4.0 or Windows 2000 should download and install Microsoft's MS01-033 patch (http://www.microsoft.com/technet/security/bulletin/MS01-033.asp) for the .IDA vulnerability. 3. To verify whether this IIS patch has been applied, you may run Trend Micro's free detection tool (http://www.antivirus.com/vinfo/security/detect_cr.exe). 4. To prevent infection, disconnect your Internet connection. 5. Apply the patch from Microsoft. 6. Delete all copies of ROOT.EXE located at the following paths: C:\INETPUB\SCRIPTS\ROOT.EXE C:\PROGRA~1\COMMON~1\SYSTEM\MSADC\ROOT.EXE D:\INETPUB\SCRIPTS\ROOT.EXE D:\PROGRA~1\COMMON~1SYSTEM\MSADC\ROOT.EXE 7. Delete the Trojan file(s) dropped by CODERED.C by issuing the following commands: ATTRIB C:\EXPLORER.EXE -H -A -R DEL C:\EXPLORER.EXE ATTRIB D:\EXPLORER.EXE -H -A -R DEL D:\EXPLORER.EXE 8. If this does not work, it means that the Trojan is already resident in memory. 9. Reboot your computer. 10. To enable system file protection, reset to zero the following registry value: HKLM\SOFTWARE\Microsoft\WindowsNT\Current Version\WinLogon\SFCDisable 11. Remove or set to zero the following data located at HKLM\SYSTEM\CurrentContro\Set\Services\W3SVC\Parameters\ Virtual Roots /Scripts /msadc /c /d 12. Scan your system with Trend Micro antivirus and delete all files detected as CODERED.C and TROJ_CODERED.C. To do this Trend Micro customers must download the latest pattern file (http://www.antivirus.com/download/pattern.asp) and scan their system. Other email users may use HouseCall (http://housecall.antivirus.com/), Trend Micro 's free online virus scanner. TECHNICAL DETAILS In the wild: Yes Trigger condition 1: Upon execution Payload 1: Others (drops a backdoor Trojan on infected Web servers) Detected by pattern file#: 923 Detected by scan engine#: 5.170 Language: English Platform: Windows Encrypted: No Size of virus: 3,818 Bytes Details: This worm contains a download command that accesses the Indexing Service (IDA) for the Internet Server API Filter with parameters greater than the allowed size, and arrives in a packet data. The Internet Information Service (IIS) attempts to process the bulk of the data, which then causes a buffer overflow. The data contains the preferred address used to replace the system instruction pointer during the overflow as well as an executable or binary code also known as the shell code. The buffer overflow allows the execution of the shell code with system level privilege. Information about this exploit is available at Microsoft Technet (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/MS01-033.asp) and the eEye Digital Security site (http://www.eeye.com/html/Research/Advisories/AD20010618.html). The binary data that is sent with this worm is designed to run only on Windows 2000 machines with IIS Web server installed because the value of the EIP that it overwrites works only in Windows 2000. It tends to crash machines running Windows NT. The worm searches for the operating system's kernel KERNEL32.DLL in memory where the kernel image is known to reside. The worm then searches for the GetProcAddress API. The worm searches for other APIs or functions it will later need for propagation. Aside from the kernel, the worm will need the following three libraries: WS2_32.DLL - Winsock V 2.0 ADVAPI32.DLL - for registry manipulations USER32.DLL - for rebooting the computer and in order to function properly The worm copies the %windir%\CMD.EXE file to the below locations so that it can copy the same file in the system installed in both Drives C:\ and/or D:\: C:\INETPUB\SCRIPTS\ROOT.EXE C:\PROGRA~1\COMMON~1\SYSTEM\MSADC\ROOT.EXE D:\INETPUB\SCRIPTS\ROOT.EXE D:\PROGRA~1\COMMON~1\SYSTEM\MSADC\ROOT.EXE It then drops a backdoor Trojan, EXPLORER.EXE file, which Trend Micro antivirus detects as TROJ_CODERED.C, in the root directory of the infected system's Drive C:\ (C:\EXPLORER.EXE). The dropped file gives an attacker full access to the Web server. This method of dropping EXPLORER.EXE on the root directory of drive C:\ uses the Relative Shell Path Vulnerability that executes C:\EXPLORER.EXE first before the copy located in the Windows directory. The worm also modifies the following registry entry to disable system file protection: HKLM\Software/Microsoft\Windows NT\ Current Version\WinLogon\SFCDisable It also creates the following registry entries: HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\ /Scripts = %rootdir%\inetpub\scripts,,204 /MSADC = %rootdir%\program files\common files\system\msadc,,205 /C = C:\,,217 /D = D:\,,217 The worm's code also indicates that the worm checks whether the current system year is less than 2002 or whether the current system month is less than October. If the date is greater than these two, it reboots the computer, thereby removing the worm but not the Trojan on the system. However, the system can be infected again if the necessary patches are not applied. To unsubscribe or change your preferences for the Creed-Discuss list, visit: http://www.winduplist.com/ls/discuss/form.asp