From: Sherry M. Rogers (smrogers@socrates.berkeley.edu)
Date: Wed Sep 19 2001 - 11:41:03 PDT
ALERT: NIMDA Worm
The "Nimda Worm" was released yesterday, September 18, and has spread
aggressively through the Internet using multiple mechanisms. Its ultimate
purpose seems to be to create an Internet-wide Denial of Service by
consuming network bandwidth.
When a host is infected, however, so many files are changed that it needs
to be rebuilt from secure media (CD).
Details about the Nimda Worm can be found at:
http://www.cert.org/advisories/CA-2001-26.html or at
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
=> The Nimda worm has the potential to affect both user workstations
(clients) running Windows 95, 98, ME, NT, or 2000 and servers running
Windows NT and 2000.
=> It can spread:
* from client to client via email
* from client to client via open network shares
* from web server to client via browsing of compromised web sites
* from client to web server via active scanning for and exploitation
of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
(VU #111677)
* from client to web server via scanning for the back doors left
behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS"
(CA-2001-11) worms
=> Prevention Measures: End Users
* update your virus software with latest code: see links below
* do not open any unknown or unexpected email attachments,
particularly anything entitled README.exe
* do not use Internet Explorer (IE) to read email unless it has been
patched (without the patch the attachment will automatically
be run):
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
* do not use Outlook Express to read email - it has been reported
that it will automatically execute the code on preview
* Disable JavaScript before browsing the Web
=> Prevention Measures: System Administrators:
* make sure all IIS maintenance has been applied:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
* apply patch for the IE vulnerability:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
* disconnect any infected machines immediately
* to determine if your system has been compromised, look
for the following:
- root.exe artifact (indicates a compromise by Code Red II
or sadmind/IIS worms making the system vulnerable to the Nimda
worm)
- admin.dll artifact or unexpected .eml files in the directories
with web content (indicates compromise by the Nimda worm)
Antivirus Vendor Information
Central Command, Inc.
http://support.centralcommand.com/cgi-bin/command.cfg/php/endus
er/std_adp.php?p_refno=010918-000005
Command Software Systems
http://www.commandsoftware.com/virus/nimda.html
Data Fellows Corp
http://www.datafellows.com/v-descs/nimda.shtml
McAfee
http://vil.mcafee.com/dispVirus.asp?virus_k=99209&
Sophos
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
Symantec
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
Trend Micro
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=
TROJ_NIMDA.A
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.
asp?VName=TROJ_NIMDA.A
You may wish to visit the CERT/CC's computer virus resources page
located at
http://www.cert.org/other_sources/viruses.html
-System & Network Security
-------------------------------------------------------------------------
Sherry M. Rogers University of California, Berkeley
System & Network Security phone (510)642-7157
-------------------------------------------------------------------------
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://wss.berkeley.edu/webnet/>.
This archive was generated by hypermail 2b29 : Wed Sep 19 2001 - 11:43:43 PDT