myRedlands

Home » ResNet » Support Documents » Virus Documentation

Virus Documentation

This document is a cheatsheet for five most common viruses, worms and trojans infecting users on the University of Redlands’s network. Only SARC (Symantec Anti-virus Research Center) class 3 and above are included on the list (in other words, only the nasty ones). For more information, visit http://www.sarc.com/.

FunLove virus (w32.funlove.4099)

Attacks: Windows 95/98/ME
Targets: .exe, .scr, .ocx files
Trigger: Failed Execution of Virus’s Service
Propagates: Shared Drives

SARC Class: 3
Damage: Medium
Type: Virus
Date Discovered: Nov, 1999

Infection Process
When an infected file is copied from one computer to another, the virus sets itself up as a Windows service, flcss.exe (in \windows\system folder). The service then attempts to execute, fails, and infects .exe, .scr, and .ocx executable files, preventing those programs from starting properly, if at all. Funlove does not attack the executable files of most anti-virus software.

To Repair

  • Download patch (fixfun.exe) onto bootable floppy disk, and boot into DOS.
  • From A:\ in DOS, type: fixfun <drive letter>, and the program will attempt to fix the infected files.
  • When the program is finished, boot back into Windows, and re-run anti-virus program.
  • Delete any remaining infected files and re-install any damaged applications.
  • Finally, boot from the Operating System CD and select “Repair Windows Installation” to replace damaged system files. If the OS CD does not include a repair option, you can run “SFC” in many operation systems to check all of the system files, with the option to replace damaged versions.

Code Red (w32.bady.worm)

Attacks: MIS 2.0, IIS 4.0 &5.0
Targets: Whitehouse.gov, Web Browser
Trigger: Does not find c:\notworm
Propagates: Infected Servers, Random IPs

SARC Class: 3
Damage: Low
Type: Worm
Date Discovered: July, 2001

Infection Process
Infects vulnerable computer and runs in active memory, completly taking administrative control of the system. Code Red then executes a Denial of Service (D.O.S.) attack on Whitehouse.gov port 80, causing massive slowdowns or shutdowns of site, as well as using most of the bandwidth for infected server's network. Generates 100 random IP addresses and sends a copy of itself to each address. During the ten hours Code Red runs on a machine, instead of loading web pages within the user's browser, the message "This Computer Hacked By Chinese" appears instead. Restarting a computer during this process restarts the virus's cycle, but after ten hours, the worm runs itself out.

To Repair

  • Copy CodeRed Removal Tool to machine from a floppy disk.
  • Run the program in Windows to remove worm from active memory.
  • When the program is finished, re-run anti-virus program.
  • Download IIS and MIS security updates from http://www.microsoft.com/ to prevent the computer from being re-infected. CodeRed does not usually damage the system on which it is running.

Code Red II (w32.bady.c)

Attacks: MIS 2.0, IIS 4.0 & 5.0
Targets: Cmd.exe
Trigger: Does not find itself on hard drive
Propagates: Vulnerable Servers

SARC Class: 3
Damage: Medium
Type: Trojan Horse
Date Discovered: Aug, 2001

Infection Process
Code Red II attacks vulnerable computers through infected servers (both computers within the server’s networks and computers accessing the server’s network remotely). Copies cmd.exe to several locations, setting up access for remote control of all material stored on the computer.

To Repair

  • Copy CodeRed Removal Tool to machine from a floppy disk.
  • Run the program in Windows to remove worm from active memory.
  • When the program is finished, re-run anti-virus program.
  • Delete any remaining infected files and re-install any damaged applications.
  • Download IIS and MIS security updates from http://www.microsoft.com/ to prevent the computer from being re-infected.
  • Double check to make sure all extra cmd.exe versions have been removed, as have references to the executable in the registry.

SirCam (w32.sircam.worm@mm)

Attacks: Windows 95/95/ME/2000
Targets: Rundll32.exe
Trigger: File download, file deletion
Propagates: Mass mailing, shared drives

SARC Class: 4
Damage: Medium
Type: Worm
Date Discovered: July, 2001

Infection Process
When downloaded, SirCam creates three files: \temp\<infected file>, \recycled\<infected file>, and \recycled\SirCam.exe. It sends a copy of itself to every email address in the infected computer's internet cache, as well as to any email addresses in the user’s personal folder. It also copies itself to all of the computer's shared directories. It copies itself by sending a random file, minimum length 134k from the user’s hard drive.

Once downloaded, the worm has a 1/50 chance of expanding itself to fill up the rest of the users hard drive. On Oct. 16th, 2001 the worm has a 1/20 chance of deleting the hard drive of an infected computer. If a computer is infected multiple times with the SirCam worm, it will copy over the system's run32.exe command with a corrupt version of rundll32.exe. This will prevent all applets utilizing .dll extensions from opening.

To Repair

  • Download SirCam removal tool.
  • Disconnect the computer from the network (important!).
  • Run SirCam fix program in Windows.
  • When the program is finished, re-run anti-virus program. Re-run fix if any versions of worm remain.
  • Boot from Operating System CD to repair Windows installation.

Nimda (w32.nimda.a@mm)

Attacks: All Windows Systems
Targets: mmc.exe, cmd.exe, *.exe
Trigger: Infection
Propagates: Shared Drives, Vulnerable Servers, Mass Mailing, Random IPs

SARC Class: 4
Damage: High
Type: Worm, Trojan
Date Discovered: Sept, 2001

Infection Process
Nimda’s propagation methods are significant enough that they deserve a paragraph of their own. The worm starts out from an infected machine by generated a random set of server IP addresses and sending itself to those networks. If a server is vulnerable, it gains administrative access to the server and infects vulnerable computers on the network. Nimda uses the same Microsoft Indexing Service (MIS) and Internet Indexing Service (IIS) that Code Red exploited but can work through Microsoft’s original patch. Any remote users visiting an infected server will be prompted to download an .eml (Outlook mail) file with the infected virus. The worm also uses the infected computer’s internet cache and sends itself as an attachment (readme.exe) to all email addresses. Simply previewing the infected email allows the worm to gain access to a user’s system. Additionally, Nimda uses Windows Networking and Net Bios to find any open network shares. Even if the infected computer has no file shares, Nimda can infect any shared directories on the network this way, but only after the system has been re-booted.

Once infected by any of the worms propagation methods, Nimda creates a guest account on the user’s computer with administrative privileges. Once it has administrative privileges, it takes over mmc.exe (Microsoft Management Console) and cmd.exe (Command Interpreter) to exert control over the rest of the system. It corrupts executable files, creates multiple copies of itself as .eml and .nws files, and riched20.dll, a Microsoft Office extension. After Riched20.dll has been infected, the worm will re-propagate every time an Office program is opened. It also creates a file, load.exe in the folder \windows\system so that the worm can operate even when a user is not logged on. The worm also opens each infected c:\ to the entire network and hides known file extensions.

Every tenth day from its original infection, Nimda re-initiates the original infection process.

To Repair
(note: While there are fixes available for Nimda, the only 100% sure method of eliminating the damage caused by the worm is to format and re-install the OS)

  • First, and most importantly, disconnect the computer from the network!
  • Copy all personal user files to a removeable media, a CD-R/CD-RW, Zip Drive or 3.5 inch floppy. Do not take the files off of the removable media and onto another system and do not transfer files directly to another computer or network drive.
  • Use a system boot disk and boot into DOS.
  • Run fdisk
  • Delete all partitions and logical drives
  • Create a primary partition
  • Reboot the system, and boot into DOS.
  • From the boot disk (a:\), type: format c: /s /v to re-format the hard disk.
  • After the system is finished re-formatting, boot from the Operating System disk to begin re-installation.
  • In a Windows 2000 system, disable Indexing Services.
  • After re-installation is complete, install anti-virus software, re-connect to the network and immediately download the most current virus definitions and set up the highest level of virus auto-protect.
  • Next, run Windows Update and download all security fixes (listed as critical updates under product updates) and the latest Service Pack, if applicable.
  • With the system secure, scan the removable media with the user’s files for any viruses. Set scanning for all files and disable smart scanning. If the files are clean, copy them back to the user’s hard drive.
  • Enable auto-protect on startup for virus protection.

Nimda Virus: Strain E (w32.nimda.e@mm)

Attacks: All Windows Versions
Targets: csrss.exe, cmd.exe, *.exe
Trigger: Infection
Propogates: Shared Drives, Vulnerable Servers, Mass Mailing, Random IPs

SARC Class: 3
Damage: High
Type: Worm
Discovered: Oct, 2001

Infection Process
The worm starts out from an infected machine by generated a random set of server IP addresses and sending itself to those networks. If a server is vulnerable, it gains administrative access to the server and infects vulnerable computers on the network. Nimda uses the same Microsoft Indexing Service (MIS) and Internet Indexing Service (IIS) that Code Red exploited but can work through Microsoft’s original patch. Any remote users visiting an infected server will be prompted to download an .eml (Outlook mail) file with the infected virus. The worm also uses the infected computer’s internet cache and sends itself as an attachment (sample.exe) to all email addresses. Simply previewing the infected email allows the worm to gain access to a user’s system. Additionally, Nimda uses Windows Networking and Net Bios to find any open network shares. Even if the infected computer has no file shares, Nimda can infect any shared directories on the network this way, but only after the system has been re-booted.

Once infected by any of the worms propagation methods, Nimda creates a guest account on the user’s computer with administrative privileges. Once it has administrative privileges, it takes over mmc.exe (Microsoft Management Console) and cmd.exe (Command Interpreter) to exert control over the rest of the system. It corrupts executable files, creates multiple copies of itself as .eml and .nws files, and riched20.dll, a Microsoft Office extension. After Riched20.dll has been infected, the worm will re-propagate every time an Office program is opened. It also creates a file, load.exe in the folder \windows\system so that the worm can operate even when a user is not logged on. The worm also opens each infected c:\ to the entire network and hides known file extensions.

Every tenth day from its original infection, Nimda re-initiates the original infection process.

To Repair

  • Download FixNimdaE from http://www.sarc.com/.
  • Disconnect Computer From Network.
  • Close All Programs.
  • Disable System Restore (In Windows ME only).
  • Run Fix, Multiple Times If Necessary.
  • Reboot Computer and Re-Run Virus Software.
  • If Computer Is Clean, Go To http://windowsupdate.microsoft.com/, click on product updates, and download critical fixes.
  • Check Computer For (and Fix): New Guest Profiles (w\ administrative previdges) and Open Network Shares.
  • Reboot System and Run System Restore (to check for damaged com.exe and riched20.dll)