IP: re -- Nimda E Windows Virus -- a different problem entirely

[David Farber <dave () farber net>]

> Date: Wed, 31 Oct 2001 15:45:13 -0800
> From: "Howard Morgan" <howard () idealab com>
> To: <farber () cis upenn edu>
>
> Dave:
>
> This is the response of our sysadmin at idealab! on NIMDA-E.  It's the
> responsible sysadmin view of things.  His last sentence is the key issue
> - getting sysadmins to keep on top of patches - i.e. using the
> intelligence information about current attacks and remedies. Just what
> we're going through in the rest of society.  Yes, we should build more
> secure systems, but we should push much harder to have as many people as
> possible trained in how to quickly plug the holes when they are found.
>
> howard
>
> -----Original Message-----
> From: David Derkits
> Sent: Tuesday, October 30, 2001 8:07 PM
> To: Howard Morgan
> Subject: RE: READ -- Nimda E Windows Virus -- a different problem
> entirely
>
>
> This Rob Raisch has apparently not dealt with the original Nimda virus,
> which was serious but also controllable.  I think he is too eager to
> preach removal of Microsoft software.
>
> If a company has patched for Nimda, they are most likely safe from Nimda
> E.  With all the publicity surrounding the original Nimda and - before
> that - CodeRed, all companies should have patched the common security
> holes by now.
>
> For example, Idealab Pasadena is safe from Nimda E because:
> - We block all incoming .dll and .exe files at our mail servers.  Nimda
> E uses a different .exe file, but an .exe filter catches them all.
> - We run Symantec Norton AntiVirus on all of our desktop computers and
> servers.  Symantec has confirmed that Nimda E is caught by their
> original Nimda protection, which means that any AntiVirus client that
> has had its virus definitions uploaded since September will be
> protected.
> - We have patched the security holes on the servers that run IIS.
> - We do a good job of patching IE and Office.
>
> Other ways to block Nimda and Nimda E:
> - Office 2000 SR-1 SP2 and Office XP do not exhibit the security hole.
> Patches have been available for Outlook Express (through IE patches) and
> IIS for some time.  A computer running IE 5.5 SP2 or IE 6.0 and all
> critical updates (through Windows Updates) is safe.
>
> Dealing with viruses proactively is one of the responsibilities of any
> Windows or Macintosh sysadmin.  Dealing with the larger issue of
> security holes proactively is the responsibility of every sysadmin.
>
> - David
>
>
> > -----Original Message-----
> > From: Howard Morgan
> > Sent: Tuesday 30 October 2001 16:07
> > To: David Derkits
> > Subject: FW: READ -- Nimda E Windows Virus -- a different
> > problem entirely
> >
> >
> > This sounds serious.
> >
> > howard
> >
> > -----Original Message-----
> > From: David Farber [mailto:dave () farber net]
> > Sent: Tuesday, October 30, 2001 6:52 PM
> > To: ip-sub-1 () majordomo pobox com
> > Subject: IP: READ -- Nimda E Windows Virus -- a different
> > problem entirely
> >
> >
> >
> > >From: "Rob Raisch" <info () raisch com>
> > >To: "Dave Farber" <farber () cis upenn edu>
> > >
> > >
> > >Dave,
> > >
> > >Today, a number of machines over which I have responsibility were hit
>
> > >by a new Windows Virus that has been dubbed "Nimda E"
> > >
> > >
> > >http://securityresponse.symantec.com/avcenter/venc/data/w32.n
> imda.e@mm.
> >html
> >
> >There are a number of subtle yet important differences that make this
> >attack a whole new kettle of fish entirely.
> >
> >In short, the NIMDA E Windows Virus can infect your machine through the
>
> >expected channels of Microsoft Windows Internet Information Server
> >(IIS), over a shared disk drive, and in an email message opened with
> >Microsoft Outlook.
> >
> >But most importantly, when it arrives on your machine through Outlook
> >2000 (and I believe Outlook Express, though I have yet to verify this),
>
> >the infected email message is shown as having __NO__ file attachments,
> >even though it clearly does when opened or examined with another email
> >client.
> >
> >This implies that user education will not be sufficient to stem this
> >infection as any email message can now be a new vector of infection.
> >
> >The NIMDA E Windows Virus also appears to modify important Windows
> >systems files so its chief method of attack is reinvoked when each new
> >program is run under Windows.  Run any program whatsoever, and you are
> >reinfected.  I ran my SSH client to connect to a remote Linux host, and
>
> >was amazed to see the infected operating system modify the SSH program
> >file to become a new infection vector.
> >
> >Finally, and this has yet to be verified, it appears the NIMDA E
> >Windows Virus can infect your machine over a network share, violating
> >Windows Share Permissions, to modify systems files as described above.
> >
> >The only solution I can imagine for this virus is not to run Microsoft
> >Windows IIS, File Service, or Outlook.
> >
> >/rr
>
>
> For archives see:
> http://www.interesting-people.org/archives/interesting-people/
> Received:  from corleone.idealab.com ([64.208.8.4]) by 
> rosemead.iad.idealab.com with Microsoft SMTPSVC(5.0.2195.2966); Tue, 30 
> Oct 2001 16:52:28 -0800
> MIME-Version: 1.0
> Content-Type: text/plain;
>         charset="iso-8859-1"
> Received:  (qmail 30322 invoked by uid 594); 31 Oct 2001 00:52:28 -0000
> X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0
> content-class: urn:content-classes:message
> Subject: Nimda E virus
> Date: Tue, 30 Oct 2001 16:52:26 -0800
> Message-ID: <18361A0163154B4E9BF6AE2659E01F0914394F () rosemead iad idealab com>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: Nimda E virus
> Thread-Index: AcFhpqPe9+srOHOfT6qHO+SLH3ElPw==
> From: "David Derkits" <dderkits () idealab com>
> To: <itteam () idealab com>
>
> IT Team:
>
> There is a variant of the Nimda virus, Nimda E, circulating.  After
> researching this, my conclusion is that this is not a threat to us
> because of measures we have taken to block the original Nimda virus.
> Nimda E exploits the same basic security holes as original Nimda.
>
> Symantec's discussion of Nimda E can be found here:
> http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e@mm.h
> tml
>
> Specifically:
>
> "Norton AntiVirus already detects Infected HTML files as W32.Nimda.A@mm
> (html)."
>
> Given our earlier campaign to update users' virus definition files,
> protection for Nimda should be in place throughout Idealab Pas.  We also
> block various types of files at our mail servers, including .exe, and
> our servers have already been patched to resist Nimda and its variants.
>
> It is not impossible that someone may spot Nimda E (e.g. if they check
> external email through POP, and an infected message comes their way).
> Report any such cases.
>
> - David


For archives see:
http://www.interesting-people.org/archives/interesting-people/