From: Sherry M. Rogers (smrogers@socrates.berkeley.edu)
Date: Wed Sep 19 2001 - 15:15:42 PDT
Two corrections/clarifications to the Nimba Worm alert (appended
below) which was sent out this morning:
1) It is important to be sure you have the Mime exploit patch
applied to Internet Explorer before using it for any reason (not
just for reading email) since an unpatched IE browser will automatically
execute Nimda code on an infected web server (the earlier note
implied this was an exposure only when using IE for email.):
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
2) Although the security community generally advocates rebuilding an
infected host because the Nimba worm (like the Code Red worm) exposes
the host's file system to unknown, arbitrary attacks, there are
instructions for removing Nimba cited in the Trend Micro link:
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A
------------------------------------------------------------------------
ALERT: NIMDA Worm
The "Nimda Worm" was released yesterday, September 18, and has spread
aggressively through the Internet using multiple mechanisms. Its ultimate
purpose seems to be to create an Internet-wide Denial of Service by
consuming network bandwidth.
When a host is infected, however, so many files are changed that it needs
to be rebuilt from secure media (CD).
Details about the Nimda Worm can be found at:
http://www.cert.org/advisories/CA-2001-26.html or at
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
=> The Nimda worm has the potential to affect both user workstations
(clients) running Windows 95, 98, ME, NT, or 2000 and servers running
Windows NT and 2000.
=> It can spread:
* from client to client via email
* from client to client via open network shares
* from web server to client via browsing of compromised web sites
* from client to web server via active scanning for and exploitation
of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
(VU #111677)
* from client to web server via scanning for the back doors left
behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS"
(CA-2001-11) worms
=> Prevention Measures: End Users
* update your virus software with latest code: see links below
* do not open any unknown or unexpected email attachments,
particularly anything entitled README.exe
* do not use Internet Explorer (IE) to read email unless it has been
patched (without the patch the attachment will automatically
be run):
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
* do not use Outlook Express to read email - it has been reported
that it will automatically execute the code on preview
* Disable JavaScript before browsing the Web
=> Prevention Measures: System Administrators:
* make sure all IIS maintenance has been applied:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
* apply patch for the IE vulnerability:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
* disconnect any infected machines immediately
* to determine if your system has been compromised, look
for the following:
- root.exe artifact (indicates a compromise by Code Red II
or sadmind/IIS worms making the system vulnerable to the Nimda
worm)
- admin.dll artifact or unexpected .eml files in the directories
with web content (indicates compromise by the Nimda worm)
Antivirus Vendor Information
Central Command, Inc.
http://support.centralcommand.com/cgi-bin/command.cfg/php/endus
er/std_adp.php?p_refno=010918-000005
Command Software Systems
http://www.commandsoftware.com/virus/nimda.html
Data Fellows Corp
http://www.datafellows.com/v-descs/nimda.shtml
McAfee
http://vil.mcafee.com/dispVirus.asp?virus_k=99209&
Sophos
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
Symantec
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
Trend Micro
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=
TROJ_NIMDA.A
http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.
asp?VName=TROJ_NIMDA.A
You may wish to visit the CERT/CC's computer virus resources page
located at
http://www.cert.org/other_sources/viruses.html
-System & Network Security
-------------------------------------------------------------------------
Sherry M. Rogers University of California, Berkeley
System & Network Security phone (510)642-7157
-------------------------------------------------------------------------
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://wss.berkeley.edu/webnet/>.
This archive was generated by hypermail 2b29 : Wed Sep 19 2001 - 15:18:06 PDT