Topic: NIMDA Worm

[David]

Well it wasn't pretty, but I think I got rid of the nimda on my network.
The lovely little thing about this virus/worm is that it doesn't matter if you have apache webserver or not. All it takes is one small visit to a website infected and bang, your it now.
It created over 2000 files each about 75K each of course, that used up HUGE about of diskspace.

Worm changes almost all html/asp/htm files and appends the following:

Hello World!

And like it or not, your screwed. Unless you have applied a MS patch which can be found at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp


Hope this helps others.


Found on a german website, fix for those running squid.(This was translated from German to English)
==================
Squid Proxy filters Nimda worm


The Nimda worm installed on stricken Web servers a file named " READ
ME eml " and builds JavaScript code into the web pages, which reload
this file.  If a surfer visits the stricken Web server, its Browser
loads this file and leads it with some versions of the InterNet
Explorer even ungefragt out.  In firm networks a pro XY server can
ensure that the dangerous file does not arrive at the computer of the
surfer.  The following entries in the configuration file " squid.conf
" the Web Proxies Squid cause that these files with the ending " eml "
blocks:  

# eml Files filter
acl worm urlpath_regex i \.eml$
http_access deny worm

[D.J.]

Could you provide detailed step by step instructions on modifying the squidGuard.conf file in E-Smith for inexperienced users like myself?

[David]

Really easy.
(Remove the quotes)

Go to : "/etc/e-smith/templates/etc/squid/squid.conf"

Edit the file called: "template-begin"
Using pico go down to the very bottom of the file add the following 3 lines:

# eml Files filter
acl worm urlpath_regex i \.eml$
http_access deny worm


Once thats done, save the file and exit.
Back at the commandline, enter the following: "service squid restart"

Thats it.

To verify that all has been added correctly do the following"

"pico /etc/squid/squid.conf"

Go down to the very bottom of the file and you should see your changes there.

If you have any other questions let me know.

[Allun]

David,

I have followed your instructions exactly above (thanks, btw - very helpful!) but i thought i'd be a smarty-pants and test the change by making a "test" nimda page. I made an html page with the script bits from your first post pasted into it, and just a blank txt file that the script called (i called it nimba.eml).

The thing is, when i go to that page in a client browser using the proxy, the script pops up the file "nimda.eml" and obviously just shows a blank screen because it's a blank txt file...but shouldnt the "page cannot be displayed" or similar error come up?

Thanks,


Allun

[David]

Thanks.

I haven't had time to fully test it myself, I spent the better part of last night running virus scans, then reboot then more scans. I THINK I finally got rid of it.

Anyways. I'll test it tonight doing the same as you did. BUT looking at my first email, I think somehow some of the HTML was stripped when I posted the first email.

So this time I'll repost it, but this time remove ALL of the "*" I'm placing them in to prevent this message board from stripping them out.

===============================
<*META name="postinfo" content="/scripts/postinfo.asp">
<*p>Hello World!<*/p>

<*html*><*/html>



==============================

Also here is a slight change for the squid filter.

# NIMDA Worm Filter
acl worm urlpath_regex -i .eml$
http_access deny worm

[David]

Ok I just checked and it looks like the correct html was left on the prevous email.
So go ahead and remove all of the **********

[Rob Hillis]

David wrote:

> Really easy.
> (Remove the quotes)

Can I make a couple of suggestions here?

> Go to : "/etc/e-smith/templates/etc/squid/squid.conf"
>
> Edit the file called: "template-begin"
> Using pico go down to the very bottom of the file add the
> following 3 lines:
>
> # eml Files filter
> acl worm urlpath_regex i \.eml$
> http_access deny worm

Probably better to add those three lines to their own file - something like 10worm, and possibly put this file in the /etc/e-smithe/templates-custom/etc/squid/squid.conf directory instead...

> Once thats done, save the file and exit.
> Back at the commandline, enter the following: "service squid
> restart"

You'd need to run /sbin/e-smith/expand-template /etc/squid.conf first...

[David]

I'm not sure how the whole template things works, but by creating a file called "10worm" and then sending the command to expand-template will that add the "10worm" file to squid.conf?

As for the /sbin/e-smith/expand-template /etc/squid.conf  your totally right my fault. I did forget to add the  very important item.

[Rob Hillis]

David wrote:

> I'm not sure how the whole template things works, but by
> creating a file called "10worm" and then sending the command
> to expand-template will that add the "10worm" file to
> squid.conf?

Yep... creating your own template fragments where possible is vastly prefereable to modifying the existing template fragments, as these are prone to being overwritten when upgrading to the latest version (if the damned thing ever finishes downloading...)

[David]

Cool. Thanks for the tip. I'll change the setup tonight.

[David]

This might be of some interest:

http://www.net-security.org/text/bugs/1000984627,32837,.shtml

[Bobby]

I'm trying to do this, but it's the first time I've expanded template fragments. I've made the /etc/e-smith/templates-custom/etc/squid/squid.conf/ directory & created the 10worm file there. When I try to expand it I get the message "Cannot create output file //etc/squid/squid.conf/10worm.1795: Not a directory". Any tips?
Thanks,
Bobby

[David]

For those using SendMail, here is away of filtering out the nimda via email

http://www.net-security.org/text/bugs/1001074525,64379,.shtml

[trevor]

Bobby wrote:
>
> I'm trying to do this, but it's the first time I've expanded
> template fragments. I've made the
> /etc/e-smith/templates-custom/etc/squid/squid.conf/ directory
> & created the 10worm file there. When I try to expand it I
> get the message "Cannot create output file
> //etc/squid/squid.conf/10worm.1795: Not a directory". Any tips?
> Thanks,
> Bobby

Did you expand the /etc/squid/squid.conf template ONLY? This will expand all the template fragments under /etc/e-smith/templates-custom/etc/squid/squid.conf directory. There is no need to specify the name of the fragment.

Hope this helps!
Trevor B

[Pierluigi Miranda]

David wrote:

> Also here is a slight change for the squid filter.
>
> # NIMDA Worm Filter
> acl worm urlpath_regex -i .eml$
> http_access deny worm

Shouldn't the acl line be "acl worm urlpath_regex -i \.eml$" to filter URL that end in ".eml"?

P.S.: not yet tested...

--

Pierluigi Miranda

[Bobby]

Trevor - thanks for the tip. That's what I was doing wrong.
Bobby

[David]

In one of my other postings I did mention that there was a problem and the correct format was using "acl worm urlpath_regex -i \.eml$"
But I did a quick try and it still seem to pass/open a new window for the EML file. I'm not sure if the default e-smith conf file is missing something or what. But it sure doesn't seem to be filtering out those EML links.

Has anyone else tried to do any tests?

[David]

In one of my other postings I did mention that there was a problem and the correct format was using "acl worm urlpath_regex -i \.eml$"
But I did a quick try and it still seem to pass/open a new window for the EML file. I'm not sure if the default e-smith conf file is missing something or what. But it sure doesn't seem to be filtering out those EML links.

Has anyone else tried to do any tests?