Thank you Microsoft,
it is now possible to spread viruses via html files.
Well, I've just been hit with the W32.NIMDA.A@MM computer worm.
No big surprise here.
The infection appears to be pretty wide spread.
Symantec press release
says that "its kind of bad",
the details are here.
| HTML Code
| MIME Header
Damage to My System
riched20.dll should be 422KB,
after infection it was 56 kb.
Since this dll is used by various applications,
some parts of the system no longer worked.
I used the System File Checker (c:\win98\system\sfc.exe) to repair
this problem (ie, replace the file).
- New infected system file
C:\WIN98\SYSTEM\load.exe (run via system.ini)
- Replaced system file
C:\WIN98\SYSTEM\riched20.dll (called by WinWord and others)
- The Internet Explorer History was deleted (C:\WIN98\History).
- Two of the Windows Explorer preferences were changed
- Do not show hidden or system files - was - Show all files
- Hide file extensions for known file types - was - unchecked
- 2 eml files added to PWS executable directories
- Several .tmp and .tmp.exe files in C:\WIN98\temp
- MS Word is broke (this may be a separate problem)
- 2 main menu selections are gone - View and Insert
- Find is missing from the edit menu
- Tool bar customize (right click and select customize)
no longer works
At the time of the infection
I was running the Microsoft Personal Web Server (PWS).
The following 2 files were written to directories
configured in PWS to contain executable content.
setup.eml 78 KB
multimonitor.eml 78 KB
These 2 identical files are actually email messages
which contain the mime encoded worm readme.exe.
However, because the mime type is
listed as an audio file,
Microsoft exchange will try to play the "sound" file.
Of course, Windows will realize that it is actually an exe
file and execute it WITHOUT ASKING YOU.
This is the system.ini line which loads the worm.
shell=explorer.exe load.exe -dontrunold
The MS Word problem was solved by locating and re-naming
normal.dot. When re-started, MS Word simply created a new one
and only the changes I had made were lost.
The following code is from an infected web page.
I won't identify the url since it is a
very respected site that was obviously hacked.
Simply visiting the page infected MY machine with the virus.
(I added the "xx" to the extension so that my example should be safe.
The rest of the page is here
The following was added as a single line at the bottom of the page.
I have reformatted it so that it is easier to read.
Notice that the window is opened way off the screen so that the user
is kept clueless.
(On the other hand, VBScript does allow this sort of thing.)
On the plus side, my Symantec virus check software located several infected
html files in the Internet Explorer cache.
Since all of them were from a single web site, I'm pretty sure
that those are the files that infected my system.
Relevant Registry Entries
This is the real problem -
these registry keys allow Windows to execute
files without your permission.
@="Microsoft Internet Mail Message"
[HKEY_CLASSES_ROOT\Microsoft Internet Mail Message\shell\open\command]
@="\"C:\\PROGRAM FILES\\OUTLOOK EXPRESS\\MSIMN.EXE\" /eml:%1"
@="Microsoft Internet News Message"
[HKEY_CLASSES_ROOT\Microsoft Internet News Message\shell\open\command]
@="\"C:\\PROGRAM FILES\\OUTLOOK EXPRESS\\MSIMN.EXE\" /nws:%1"
As you can see, there are 4 at risk extensions - eml mht mhtml nws.
Based on experiments,
it appears that the real danger is through the mime mapping.
This is the malformed header from the eml file.
The mime code is here.
This exploit is not limited to just exe files.
It can be used by all the executable file extensions -
pif and scr (Screen Saver) are quite common.
See McAfee's notes on the
for numerous examples.
I know that Microsoft has gone way out of the way to describe these
problems without giving specific data.
From a general security point of view, I support that approach.
However, since I know of companies loosing whole days because of these
problems, I decided to publish explicit details (as far as I know them).
This is no longer a "hide the details" issue,
we're now in disaster recovery
and explicit details are necessary to accomplish that.
Most of the details are also given by