RE: Nimda Infections

[Ryan Russell <ryan () securityfocus com>]

On Mon, 12 Nov 2001, Reilly wrote:

> I don't think I've seen a posting or action of the Nimda worm to infect
> anything other than IIS.  I have over 500 Netscape servers on the net and
> none of them have had any problems.  Everything in the logs shows only IIS
> exploits.  Some of our IIS servers were infected, about 100, and we were
> able to clean them all with little to no problem without reformatting the
> systems.
>
> Has anyone seen anything similar to what Jim has seen?

Sure.  Haven't you been receiving emails with a MIME attachment type of
audio/x-wav?  One of the worms that does that is Nimda, and most of those
emails I receive of that type are one of the Nimda variants. It will
infect vulnerable clients who visit an infected site.  It will
also infect .exe files, and copy itself to file shares.  Once Nimda gets
inside a Windows networking domain, it can be a real pain to get rid of.
I helped a local high school do so recently.  If an admin sits logs onto a
Nimda infected box (which any student may have allowed to become infected
through ignorance) then the DC will likely get compromised right away, and
there go all the machines in the domain.

I think what you're asking is if the HTTP server infection vector does
anything besides IIS, and no it doesn't.  What the original poster was
saying is that you don't have to be running IIS to get it.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com