AntiVirus

 

Virus Nimda



Nimda Worm Virus



contributed by @stake (Sep 19, 2001 3:16 pm EST)

Overview

Nimda is a quickly spreading virus and worm. It spreads through several mechanisms:
Scans for vulnerable IIS servers and exploits them, using tftp to distribute files.

Sends emails with a readme.exe attachments to addresses in MAPI mailboxes (and forges the source email address)

Adds a Java Script line to the bottom of every HTML page on an infected system. Vulnerable clients that read these pages will infect themselves.

Scans for Samba and Microsoft file shares and attempts to log in using a guest account. It places attack files in each directory.

Once a system is infected, its C: drive will be set for file sharing and the Guest account will be added to the Administrators group.

Affected Systems



Microsoft Internet Explorer with MS01-020 not applied
  • Microsoft IIS with MS01-044 not applied

    It has been observed that an infected system cannot be upgraded until it has been cleaned.

    Prevention

    Apply above mentioned patches
    Perform email attachment filtering for the filename: readme.exe
    Disable active scripting
    Filter UDP port 69 (tftp) inbound and outbound at gateways and firewalls
    Filter TCP ports 135-149 and 445 inbound and outbound at perimeter firewalls

    Cleanup

    @stake does not have any specific steps to cleaning up besides what has been described by the AV vendors. The first and most important step is to unplug the infected system from the internal network. Ideally, the system should be reinstalled or restored from trusted backups. If this is not possible follow steps described here:

    f-secure
    Network Associates
    Symantec

    Additional references are available through the following advisories.....

    NIPC Advisory

    CERT Advisory

    Microsoft

    "Nimda" Worms its Way through Microsoft PCs and Servers



    contributed by Anil P (Sep 19, 2001 3:16 pm EST)

    Security administrators and vendors rallied yesterday to thwart the spread of a new e-mail and server worm through Microsoft-based systems. W32/Nimda.A@mm or Nimda, which is "admin" spelled backwards, draws on the worst features of the recent SirCam and Code Red infections. It redistributes itself by e-mail, and also scans for vulnerable web servers, which are then used as launch platforms for further distribution. Among other actions, Nimda alters system settings, infects compressed files, opens hard drive shares, and establishes new "guest" accounts for future remote access. Like Code Red, Nimda-infected systems seek out new prey by scanning port 80. Left unchecked, this activity can result in a noticable Internet-wide bandwith crunch. Antivirus product vendors and Microsoft raced to provide Nimda remedies; for safe recovery, CERT recommends formatting infected media and re-installing system software from trusted media. The first reports of Nimda scans appear to have come from Asian networks. While the Nimda source code makes reference to "R.P.China.", its origin and rationale remain undetermined. US Attorney General John Ashcroft has stated that this worm does not appear to be connected to last week's terrorist attacks.

    Wired News

    Microsoft: Information on the "Nimda" Worm

    CERT� Advisory CA-2001-26 Nimda Worm

    virus nimda

    Malicious Program Masquerading as NIMDA Fix



    contributed by Tim Hirst (Oct 3, 2001 10:45 am EST)

    It was only a matter of time.
    SecurityFocus, host of the popular security mailing list Bugtraq, issued a warning Tuesday that malicious individuals are sending a trojan disguised as a fix for the NIMDA virus in an email further disguised to appear to have originated from SecurityFocus and TrendMicro. Using simple yet effective social engineering principles, the attackers draw upon the trust users have for the above security companies to help propagate their "fix", which is anything but.
    The email comes with an attachment labeled "FIX_NIMDA.exe" that is actually a trojan that will compromise your computer. When the trojan is run, it will appear to perform all the actions that the fix would normally perform (same output, etc.) however, unidentified malicious code is also run on the victim's machine. The email message appears to originate from TrendMicro and SecurityFocus. A more detailed look at the email header reveals that the address is fake, but unfortunately, most users do not pay that much attention before double clicking on attachments.
    Remember: the bad guys are still out there, caution is advised.

    SecurityFocus: Warning
    SecurityFocus: Additional Information and Sample Email

     

    A cura del Dr. Alessandro Meggiato
    E-Business Training & Consulting
    Posizionamento sui Motori di Ricerca
    Realizzazione Siti Web
    Campagne di Direct Email Marketing

    • Euro Exchange Rates:

    Do not follow this link for bots
    link