IP: READ -- Nimda E Windows Virus -- a different problem entirely

[David Farber <dave () farber net>]

> From: "Rob Raisch" <info () raisch com>
> To: "Dave Farber" <farber () cis upenn edu>
>
>
> Dave,
>
> Today, a number of machines over which I have responsibility were hit by a
> new Windows Virus that has been dubbed "Nimda E"
>
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e () mm html
>
> There are a number of subtle yet important differences that make this attack
> a whole new kettle of fish entirely.
>
> In short, the NIMDA E Windows Virus can infect your machine through the
> expected channels of Microsoft Windows Internet Information Server (IIS),
> over a shared disk drive, and in an email message opened with Microsoft
> Outlook.
>
> But most importantly, when it arrives on your machine through Outlook 2000
> (and I believe Outlook Express, though I have yet to verify this), the
> infected email message is shown as having __NO__ file attachments, even
> though it clearly does when opened or examined with another email client.
>
> This implies that user education will not be sufficient to stem this
> infection as any email message can now be a new vector of infection.
>
> The NIMDA E Windows Virus also appears to modify important Windows systems
> files so its chief method of attack is reinvoked when each new program is
> run under Windows.  Run any program whatsoever, and you are reinfected.  I
> ran my SSH client to connect to a remote Linux host, and was amazed to see
> the infected operating system modify the SSH program file to become a new
> infection vector.
>
> Finally, and this has yet to be verified, it appears the NIMDA E Windows
> Virus can infect your machine over a network share, violating Windows Share
> Permissions, to modify systems files as described above.
>
> The only solution I can imagine for this virus is not to run Microsoft
> Windows IIS, File Service, or Outlook.
>
> /rr


For archives see:
http://www.interesting-people.org/archives/interesting-people/