Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New "concept" virus/worm?

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Tue, 18 Sep 2001 17:16:46 -0400
On Tue, Sep 18, 2001 at 10:57:36AM -0600, Brett Glass wrote:

At 10:21 AM 9/18/2001, Jay D. Dyson wrote:



       It's a two-prong worm.  It appears to be primarily disseminated
via e-mail, and then launches its attacks on web hosts upon successful
infection.



Newsbytes is calling this worm "Code Rainbow," while some of the antivirus
firms seem to be calling it "W32.Nimda.A@mm".



Can the e-mail infect anything other than Windows NT/2000? Will it infect
a system that's running Windows NT/2000 but not IIS? If a Windows 95/98/ME 
user opens it, will his or her system begin to spread the worm as well?


        It's also propagating over network shares and probing for netbios
connections which it can log into as "guest".  Seems to also add a guest
account to the infected system and tries to add it to the admin group.  ;-/


--Brett Glass


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: