Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

The "Nimda" virus ("Admin" spelled backwards) -How to Protect...
Mark Kellner Newsletter.

Posted on 09/18/2001 12:24:04 PM PDT by prognostigaator

"Friends,
In his just-concluded news conference, U.S. Atty. General John Ashcroft mentioned the "Nimda" virus ("Admin" spelled backwards). As noted by Symantec Corp. on its Web site:

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@m m.html

"W32.Nimda.A@mm is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as a file named readme.exe in an email.

"In addition, the worm sends out probes to Microsoft IIS servers attempting to spread itself by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment.

"Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares."

You need to make sure your computer is protected against such viruses. Visit www.symantec.com, www.mcafee.com or www.commandcentral.com (among other anti-virus sites) and make sure YOUR anti-virus software is updated.

Regards, Mark Kellner"


TOPICS: Announcements; News/Current Events
KEYWORDS:
Navigation: use the links below to view more comments.
first 1-2021-30 next last

1 posted on 09/18/2001 12:24:04 PM PDT by prognostigaator
[ Post Reply | Private Reply | View Replies]

To: prognostigaator
As observed previously, anyone who would open a .exe file that comes in an e-mail attachment is definitely a few terrorists short of a hi-jacking.
2 posted on 09/18/2001 12:29:01 PM PDT by Maceman
[ Post Reply | Private Reply | To 1 | View Replies]

To: prognostigaator, Yellow Rose of Texas
Thanks for posting this bump.

Rosie: this is what I was talking about.

3 posted on 09/18/2001 12:31:17 PM PDT by amom
[ Post Reply | Private Reply | To 1 | View Replies]

To: prognostigaator
I received a worm virus through my Yahoo mail today. It was in the form of a batch file, Norton picked it up and I deleted it. No harm done but it was probably the same one so watch out.
4 posted on 09/18/2001 12:34:58 PM PDT by Reagan is King
[ Post Reply | Private Reply | To 1 | View Replies]

To: prognostigaator
FWIW - Wired is claiming at http://www.wired.com/news/print/0,1294,46944,00.html that:

But most e-mails containing the W32/Nimda.A-mm worm do not have a visible attachment. When the subject of the email is clicked so that the recipient can read the e-mail, the worm is immediately activated and attempts to run a programming script.

They recommend turning off scripting (in either IE or Outlook).

5 posted on 09/18/2001 12:36:08 PM PDT by RippleFire
[ Post Reply | Private Reply | To 1 | View Replies]

To: prognostigaator
I don't know if it's this thing or not, but something is attacking my web server.
6 posted on 09/18/2001 12:37:32 PM PDT by mlo
[ Post Reply | Private Reply | To 1 | View Replies]

To: prognostigaator
Now if only the idiots would stop downloading .exe attachments.
7 posted on 09/18/2001 12:40:47 PM PDT by okie_tech
[ Post Reply | Private Reply | To 1 | View Replies]

To: Maceman
As observed previously, anyone who would open a .exe file that comes in an e-mail attachment is definitely a few terrorists short of a hi-jacking

There is a bug in MSIE 5 that automatically executes ".eml" files -- and there is a way of creating those files to automaticlaly execute an attachment. Protect yourself by disabling Active Scripting (Tools->Internet Options->Security->Custom Settings).

8 posted on 09/18/2001 12:45:01 PM PDT by kevkrom
[ Post Reply | Private Reply | To 2 | View Replies]

To: prognostigaator
As many of you know, I help with the FreeRepublic fundraisers. It is not always easy or fun sitting at a computer for hours and hours monitoring those threads. Everyone who work the threads VOLUNTEERS to do so. We spend days and weeks helping to keep FreeRepublic running.

Ask yourself these questions:

Where is the first place I go to get my news?
Am I getting any benefit from FreeRepublic?
Am I learning from FreeRepublic?

FreeRepublic is not free. It costs Jim Robinson tens of thousands of dollars to keep this forum running. There are over 60,000 registered users on FreeRepublic and only 1,000 help keep this forum running. Those who do not have the ability to donate money could help by bumping the threads once in a while. Those who who do should be ashamed of yourselves. You are a FReeploader.

Go ahead, flame me. I don't care. I contribute to FreeRepublic, and I for one do not want to see this forum dead.

If everyone who registered donated one measly dollar a month, we would never have to have a fundraiser again.

Donate Here by Secure Server

Or Mail your check to:

FreeRepublic , LLC
PO BOX 9771
FRESNO, CA 93794



To donate By Paypal:

Send PayPal direct to JimRob@psnw.com


9 posted on 09/18/2001 12:47:19 PM PDT by WIMom
[ Post Reply | Private Reply | To 1 | View Replies]

To: prognostigaator
I think I was hit by this yesterday at my shop. I received an email from an unknown person [there WAS NO ATTACHMENT]. Norton [updated last week] spotted a virus and supposedly repaired it, but something is screwed up.

I deleted the email right away and only got a glance at it, but as I recall it had red and blue background.

10 posted on 09/18/2001 12:58:45 PM PDT by the crow
[ Post Reply | Private Reply | To 1 | View Replies]

To: mlo
I don't know if it's this thing or not, but something is attacking my web server.

I have logged 141 alarms (Hack Tracer) since 10:10:21 this am. Getting about 2-4 a minute now.

11 posted on 09/18/2001 1:00:39 PM PDT by amom
[ Post Reply | Private Reply | To 6 | View Replies]

To: prognostigaator
It seems it is time to sue Microsoft for damages - the security of their products is on level of open sabotage.
12 posted on 09/18/2001 1:10:07 PM PDT by alex
[ Post Reply | Private Reply | To 1 | View Replies]

To: amom
POP mail to my server is offline - it's gone. And I'm getting pounded so bad by TCP probes that it's becoming a trick staying online. The source ports are usually high-numbered and cycled at random, but the destination is always port 80 (browser). I'm doing nothing but sitting here on FR and all this junk is lighting up my alert panel. Traces follow back to some or another company server - guess their infected servers are out probing around looking for more.
 

13 posted on 09/18/2001 1:14:14 PM PDT by DeBug=int13
[ Post Reply | Private Reply | To 11 | View Replies]

To: prognostigaator

'Nimda' Computer Worm Hits Worldwide

By Duncan Martell

SAN FRANCISCO (Reuters) - A damaging new computer worm was spreading like wildfire across the Internet on Tuesday, hitting both home PC users and commercial servers, in an outbreak that could prove more widespread and costly than the Code Red viruses, computer security experts said.

Known as ``Nimda,'' which spells admin backwards, the worm spreads by sending infected e-mails and also appears able to infect Web sites, so when a user visits a compromised Web site, the browser -- if it has not been patched -- can spread the worm to a PC, analysts said.

So far, it appears that Nimda arrives in e-mail without a subject line and containing an attachment titled ``readme.exe,'' experts said.

Internet security experts have warned of the potential for an increase in virus activity after last week's attacks on the World Trade Center and Pentagon (news - web sites), but U.S. Attorney General John Ashcroft (news - web sites) said there was no sign the outbreak was linked to those events.

``There is no evidence at this time which links this infection to the terrorist attacks of last week,'' Ashcroft told a news briefing.

The worm may have started as early as Monday and was showing signs of overloading traffic on the Internet, Ashcroft said, saying that Nimda proved ``heavier'' than the Code Red worm that caused an estimated $2.6 billion in clean-up costs on Internet-linked computers after outbreaks in July and August.

``Compared to Code Red, it may well be bigger simply because it can affect home users as well,'' said Graham Cluley, senior technical consultant for Sophos Antivirus.

If Microsoft Corp.'s (Nasdaq:MSFT - news) Outlook e-mail program has not been patched with an update that became available in March, the recipient does not even need to open the attachment to activate the virus -- opening the e-mail itself is sufficient -- said Vincent Weafer, senior director of Symantec Corp.'s (Nasdaq:SYMC - news) Symantec Security Response unit.

Other e-mail programs, such as Eudora or International Business Machine Corp.'s Lotus Notes, require the recipient to open the attachment for the virus to replicate, he said.

So far, the malicious program does not appear capable of erasing files or data, but Nimda has shown itself capable of slowing down computer operations as it replicates, experts said.

``In terms of data destruction, we haven't seen anything,'' Weafer said.

Experts said Nimda had appeared in the United States, Europe and Latin America and was likely to spread to other regions as well.

``It seems to be very widespread and (moves) at an incredibly quick rate,'' Cluley said. ``The reason it's become so widespread is because it not only travels via e-mail but it contaminates Web sites as well.''

The worm exploits an already detected vulnerability in Microsoft's Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red viruses exploited, experts said.

Once Nimda infects a machine, it tries to replicate in three ways. It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers. Finally, it looks for shared disk drives and tries to replicate itself to those devices, Symantec's Weafer said.

Experts urged companies and users to update antivirus software and to download the software patches, noting the principal reason the worm had spread so quickly was that people and companies had not downloaded the free software patches.

Patches are available for both the IIS vulnerability and Web browsers at http://www.microsoft.com/security.

14 posted on 09/18/2001 1:16:15 PM PDT by Dog Gone
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dog Gone
I'm definitely fighting this thing. Patch is applied but I need to know how to remove it from the infected systems. Anybody got a link?
15 posted on 09/18/2001 1:50:09 PM PDT by mlo
[ Post Reply | Private Reply | To 14 | View Replies]

To: mlo
Boy, I wish I did. The microsoft site might have some hints.

If anyone hasn't downloaded the patch, they had better do so right away.

16 posted on 09/18/2001 2:05:46 PM PDT by Dog Gone
[ Post Reply | Private Reply | To 15 | View Replies]

To: mlo, Dog Gone
 
OK guys - here's a couple of somethings to look over - try the procedures at your own risk:
 
http://www.zdnet.com/tlkbck/comment/22/0,7056,117438-937861,00.html
 
http://www.zdnet.com/tlkbck/comment/22/0,7056,117438-937829,00.html
 
 
 

17 posted on 09/18/2001 2:11:05 PM PDT by DeBug=int13
[ Post Reply | Private Reply | To 15 | View Replies]

To: alex
It seems it is time to sue Microsoft for damages - the security of their products is on level of open sabotage.

Just get a Mac....

18 posted on 09/18/2001 2:16:44 PM PDT by CheneyChick
[ Post Reply | Private Reply | To 12 | View Replies]

To: DeBug=int13
The source ports are usually high-numbered and cycled at random, but the destination is always port 80 (browser). I'm doing nothing but sitting here on FR and all this junk is lighting up my alert panel.

Same here. Log is at 253 now.

19 posted on 09/18/2001 2:17:36 PM PDT by amom
[ Post Reply | Private Reply | To 13 | View Replies]

To: Maceman
I never open attachments. I usually delete e-mails from people I don't know before reading them. I have noticed since yesterday that my firewall has been going nuts with warnings. I just now logged on and I've already seen a dozen warnings. ZoneAlarm is so busy, 'Who is this' isn't working. Many of the alarms are for multiple scans.
20 posted on 09/18/2001 2:17:54 PM PDT by CarolAnn
[ Post Reply | Private Reply | To 2 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-30 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson