Researchers say Nimda set to propagate again

[InfoSec News <isn () c4i org>]

http://www.infoworld.com/articles/hn/xml/01/09/27/010927hnnimbda.xml?0927alert

[Sadly there is about twenty seperate companies subscribed to ISN that
will never see this message because the word Nimda has been blocked by
their virus protection software.  - WK]


By Deborah Radcliff, Computerworld online 
September 27, 2001 10:52 am PT
  
RESEARCHERS HAVE DISCOVERED a third vector to the Nimda worm, which is
set to propagate again through e-mail at 1 a.m. ET Friday.

"We rechecked the code base to Nimda, and we found a code set that is
supposed to respread Nimda through e-mail systems starting 10 days
after machines were first infected," said Oliver Friedrichs, director
of engineering at the Attack Registry and Intelligence Service. That
service is sponsored by SecurityFocus, a business security firm in San
Mateo, Calif.

Ten days after first infecting machines, the worm will attempt to
respread itself through readme.exe attachments, with the same payload
as its original mail-based infection.

The impact could be significant or minute, depending on how well the
IT community has cleaned systems and patched Microsoft IIS (Internet
Information Server) and Outlook programs. The 10-day vector will
likely be less severe than Nimda was the first time because more
systems have been patched against the vulnerabilities, Friedrichs
said.

But because Nimda has spread itself to so many places on computers,
networked systems may not have been cleaned enough to prevent
widespread mailings of the virus. Therefore, Friedrichs advised IT
managers to do the following:

-- Double-check their patches.

-- Make sure their anti-virus software blocks Nimda.

-- Block executables files at the e-mail gateway.

-- Alert users not to preview or open any attachments that say
   readme.exe.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.