Interesting People mailing list archives
IP: READ -- Nimda E Windows Virus -- a different problem entirely
From: David Farber <dave () farber net>
Date: Tue, 30 Oct 2001 18:52:03 -0500
From: "Rob Raisch" <info () raisch com> To: "Dave Farber" <farber () cis upenn edu> Dave, Today, a number of machines over which I have responsibility were hit by a new Windows Virus that has been dubbed "Nimda E" http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e () mm html There are a number of subtle yet important differences that make this attack a whole new kettle of fish entirely. In short, the NIMDA E Windows Virus can infect your machine through the expected channels of Microsoft Windows Internet Information Server (IIS), over a shared disk drive, and in an email message opened with Microsoft Outlook. But most importantly, when it arrives on your machine through Outlook 2000 (and I believe Outlook Express, though I have yet to verify this), the infected email message is shown as having __NO__ file attachments, even though it clearly does when opened or examined with another email client. This implies that user education will not be sufficient to stem this infection as any email message can now be a new vector of infection. The NIMDA E Windows Virus also appears to modify important Windows systems files so its chief method of attack is reinvoked when each new program is run under Windows. Run any program whatsoever, and you are reinfected. I ran my SSH client to connect to a remote Linux host, and was amazed to see the infected operating system modify the SSH program file to become a new infection vector. Finally, and this has yet to be verified, it appears the NIMDA E Windows Virus can infect your machine over a network share, violating Windows Share Permissions, to modify systems files as described above. The only solution I can imagine for this virus is not to run Microsoft Windows IIS, File Service, or Outlook. /rr
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: READ -- Nimda E Windows Virus -- a different problem entirely David Farber (Oct 30)