Security Incidents mailing list archives
RE: Nimda Infections
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 13 Nov 2001 09:25:31 -0700 (MST)
On Mon, 12 Nov 2001, Reilly wrote:
I don't think I've seen a posting or action of the Nimda worm to infect anything other than IIS. I have over 500 Netscape servers on the net and none of them have had any problems. Everything in the logs shows only IIS exploits. Some of our IIS servers were infected, about 100, and we were able to clean them all with little to no problem without reformatting the systems. Has anyone seen anything similar to what Jim has seen?
Sure. Haven't you been receiving emails with a MIME attachment type of audio/x-wav? One of the worms that does that is Nimda, and most of those emails I receive of that type are one of the Nimda variants. It will infect vulnerable clients who visit an infected site. It will also infect .exe files, and copy itself to file shares. Once Nimda gets inside a Windows networking domain, it can be a real pain to get rid of. I helped a local high school do so recently. If an admin sits logs onto a Nimda infected box (which any student may have allowed to become infected through ignorance) then the DC will likely get compromised right away, and there go all the machines in the domain. I think what you're asking is if the HTTP server infection vector does anything besides IIS, and no it doesn't. What the original poster was saying is that you don't have to be running IIS to get it. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda Infections reilly (Nov 12)
- <Possible follow-ups>
- RE: Nimda Infections Dial Joe (Nov 13)
- RE: Nimda Infections Jim Harrison (SPG) (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Ryan Russell (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Reilly (Nov 13)
- RE: Nimda Infections Jim Howard (Nov 13)
- RE: Nimda Infections w1re p4ir (Nov 13)
- RE: Nimda Infections Neil Dickey (Nov 13)
- Nimda Infections and code red resurgence Russell Fulton (Nov 13)