RE: Nimda Infections

["Reilly" <reilly () speakeasy org>]

I don't think I've seen a posting or action of the Nimda worm to infect
anything other than IIS.  I have over 500 Netscape servers on the net and
none of them have had any problems.  Everything in the logs shows only IIS
exploits.  Some of our IIS servers were infected, about 100, and we were
able to clean them all with little to no problem without reformatting the
systems.

Has anyone seen anything similar to what Jim has seen?


TrendMicro analysis of Nimda.A
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=PE_NIMDA.A&VS
ect=T



-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr () microsoft com]
Sent: Monday, November 12, 2001 4:52 PM
To: reilly () speakeasy net; incidents () securityfocus com
Subject: RE: Nimda Infections


Something to bear in mind, and something that really tweaks me WRT how
most folks seem to approach the whole Nimda issue:
1. You don't need IIS installed to get infected with Nimda; it has no
less than 5 other vectors to choose from
2. Installing the IIS patches on a web server is not panacea to Nimda
(see #1), just the issues that Nimda exploited
3. The only absolute way to eradicate Nimda is to "nuke & pave" the
infected host and rebuild it OFF THE NETWORK.

Let's not discount the possibility that at least some of these requests
are coming from hosts that are there for the express purpose of
spreading Nimda and its ilk.  I know of at least two Verizon-based hosts
that I've pointed out repeatedly only to see them remain on the 'net,
spewing forth their infections requests.  If not for my ISA server, I
too may have fallen prey to these insidious jerks.

* Jim Harrison
MCP(NT4, 2K), A+, Network+




-----Original Message-----
From: reilly () speakeasy net [mailto:reilly () speakeasy net]
Sent: Monday, November 12, 2001 15:28
To: incidents () securityfocus com
Subject: Nimda Infections


It's amazing to me when I see the amount of systems still infected with
Nimda.  In today's logs I see a huge amount of systems in the ATT
network that are still banging away.  I can't even give you the amount
of systems that I'm seeing from China.  What is so difficult about
patching your system against the .hta, .htq vuln.  I don't mean to go
off on a rant but am I the only one that feels this way?  Is everyone
else seeing the same activity?


AT&T
12.101.62.4
12.102.47.51
12.103.156.10
12.103.159.94
12.64.128.3
12.64.134.199
12.72.139.96
12.73.5.135
12.74.161.194
12.75.41.165
12.77.146.214
12.77.148.241
12.77.151.250
12.78.144.115
12.81.109.130
12.81.120.25
12.81.163.216
12.81.2.240
12.83.81.182
12.83.83.74
12.84.96.198
12.87.145.155
12.88.161.248
12.88.173.180
12.89.165.130
12.91.118.157
12.98.144.18
12.99.178.250
12.99.179.10
12.99.28.7
12.99.94.158

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com