Vulnerability Development mailing list archives
RE: New "concept" virus/worm?
From: Peter Mueller <pmueller () sidestep com>
Date: Tue, 18 Sep 2001 13:41:56 -0700
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp <exerp from securityfocus> Experts are tracking a fast-spreading virus that propagates both by sending itself as an email attachment, and by hacking into vulnerable web servers. The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS Escaped Characters Decoding Command Execution Vulnerability' -- the same hole exploited by the recent Code Blue worm. The worm also attacks Microsoft Outlook users, arriving as an apparently blank message with an attachment called 'readme.exe.' As with other viruses, opening the attachment will infect the machine. But unlike most so-called mass mailers, Nimda can also infect Outlook and Outlook Express users who know better than to open strange attachments. By exploiting a bug in Internet Explorer discovered last March, the worm is able to infect victim computers when the email is read, or even displayed in Outlook's preview pane. A patch for the 'Microsoft IE MIME Header Attachment Execution Vulnerability' is available from Microsoft's web site. Once it has infected a machine, Nimda exposes local hard drives to the network, and spreads further through already-open file shares. Cyber security mailing lists began buzzing with word of the W32.Nimda.A@mm worm Tuesday morning, after network administrators noticed a massive increase in probes for unpatched Microsoft's IIS web server software. No destructive payload was immediately identified in the worm, but network administrators report that the worm consumes massive amounts of bandwidth in its feverish search for vulnerable servers. The virus comes at a time of heightened sensitivity to Internet attack. On Monday the U.S. National Infrastructure Protection Center (NIPC) issued an advisory warning that a group of vigilante hackers called 'The Dispatchers' have threatened to launch distributed denial of service attacks against unnamed Internet hosts, in response to the September 11th terrorist attacks on the United States. "The Dispatchers claim to have over 1,000 machines under their control for the attacks," the advisory reads. "It is likely that the attackers will mask their operations by using the IP addresses and pirated systems of uninvolved third parties."
-----Original Message----- From: Tom Brenner [mailto:tom () mics net] Sent: Tuesday, September 18, 2001 11:36 AM To: Incidents List Cc: Vuln Dev Subject: RE: New "concept" virus/worm? Right. We have it on a 98 machine here. Our Win2K server was protected but it appears our NT server is afflicted. I thought I had the NT machine all up to date, but..... Tom Brenner Director of Operations Midwest Internet Connections & Services, Inc. Phone: (937) 297-6212 Fax: (937) 297-6214 Toll Free Outside Dayton Area: 1-877-get-4fam Visit our home page at: http://www.4fam.net -----Original Message----- From: Dave Salovesh [mailto:salovesh () ramassociates com] Sent: Tuesday, September 18, 2001 1:21 PM To: 'Brett Glass'; Jay D. Dyson; Incidents List Cc: Vuln Dev Subject: RE: New "concept" virus/worm? It infects 98 (I've got it on the one 98 workstation we run) and may have been involved in infecting two of NT4 servers. I also have two UNinfected NT4 servers that are patched to about the same level as the infected ones - not quite completely patched, but I think I've selected all the appropriate ones for the role each server plays. My W2K server is patched up to the minute and didn't get infected. So far... -- Dave Salovesh RAM Associates, Inc. (800) 543-3635-----Original Message----- From: Brett Glass [mailto:brett () lariat org] Sent: Tuesday, September 18, 2001 12:58 PM To: Jay D. Dyson; Incidents List Cc: Vuln Dev Subject: Re: New "concept" virus/worm? At 10:21 AM 9/18/2001, Jay D. Dyson wrote:It's a two-prong worm. It appears to be primarilydisseminatedvia e-mail, and then launches its attacks on web hosts uponsuccessfulinfection.Newsbytes is calling this worm "Code Rainbow," while some of the antivirus firms seem to be calling it "W32.Nimda.A@mm". Can the e-mail infect anything other than Windows NT/2000? Will it infect a system that's running Windows NT/2000 but not IIS? If a Windows 95/98/ME user opens it, will his or her system begin to spread the worm as well? --Brett Glass -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com--- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.280 / Virus Database: 147 - Release Date: 9/11/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.280 / Virus Database: 147 - Release Date: 9/11/2001
Current thread:
- New "concept" virus/worm? Joao Gouveia (Sep 18)
- <Possible follow-ups>
- RE: New "concept" virus/worm? Dave Salovesh (Sep 18)
- RE: New "concept" virus/worm? Tom Brenner (Sep 18)
- RE: New "concept" virus/worm? John Thornton (Sep 18)
- RE: New "concept" virus/worm? Peter Mueller (Sep 18)
- Re: New "concept" virus/worm? Mark Kennedy (Sep 18)