This version of Nimda worm is 'new and improved'

[InfoSec News <isn () c4i org>]

http://www.computeruser.com/news/01/11/01/news5.html

By Steven Bonisteel, Newsbytes.
November 01, 2001

Some anti-virus companies are warning PC users and system
administrators to be on the lookout for a new incarnation of the
nefarious Nimda worm, which someone has tweaked -- to improve its
performance.

On Tuesday, Symantec's Security Response team said that because of the
number of reports it has received since the new variant was spotted
Monday, it had increased its severity rating for what is being called
"Nimda.E" (or, by at least one other anti-virus company, "Nimda.D").

Symantec said Nimbda.E is similar to the original version of the Nimda
worm that took the Net by storm in September with its ability to
launch Code Red-like attacks on some Web servers at the same time that
it was able to propagate as an e-mail and Web page attachment.

However, Symantec reported, the new version has some "bug fixes" and
other modifications, some of which were apparently designed to evade
virus-checking software equipped to stop its predecessor.

As an executable e-mail attachment, the Nimda worms' payloads can be
launched when unsuspecting users click on the newly arrived files. It
also takes advantage of an old bug in some systems using Microsoft's
Internet Explorer and its Outlook e-mail programs to launch
automatically when users simply view their mail.

Once launched, Nimda generates its own list of numeric Internet
protocol (IP) addresses it then probes for evidence of Microsoft IIS
Web servers susceptible to a year-old security bug known as the
Unicode directory transversal vulnerability. In addition, it can
launch a variety of other attacks on IIS servers, including ones that
take advantage of systems already cracked open and left vulnerable by
the Code Red II worm.

What's more, the Nimda worms can turn the Web pages of compromised
servers into another vehicle for delivering to browsers a copy of the
same code that it has been sending by e-mail.

Virus researchers at U.K.-based Sophos -- which calls the new variant
Nimda-D -- say that, when arriving as a file attachment, the worm is
now contained in a file called Sample.exe, rather than Nimda.A's
Readme.exe attachment.

In addition, Sophos said, when Nimda is successful in breaking into a
Microsoft IIS Web server, it uploads and launches a Windows dynamic
link library file named HTTPODBC.DLL, rather than the ADMIN.DLL that,
read backwards, gave the original Nimda worm its name.

Depending on how the original worm was launched, it might overwrite
the file called Mmc.exe in the system's Windows directory. Symantec's
Security Response team said the new version will now copy itself to
the file Csrss.exe in the Windows system folder, rather than use
Mmc.exe.

Symantec Security Response: http://securityresponse.symantec.com.

Sophos: http://www.sophos.com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.