Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Nimda: [Lockergnome Windows Daily] Infected Menace

From: David Farber <dave () farber net>
Date: Thu, 20 Sep 2001 01:02:15 -0400
Users are stumped -- the Web is hosed. A new Internet worm was unleashed one full week after the WTC disaster. To the hour, coincidentally. Nimda found its way into our Inboxes earlier today. If you were a diligent little geek, you upgraded to IE 6 or patched IE 5.x back in March when a fix <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp>was posted. If not, you may be finding yourself in a world of hurt right now. When launched, it not only messes with YOUR system, but systems connected to your system. And as if that weren't enough, it's also sending data packets to IP addresses via port 80 -- which is why the Web ain't workin' too well right now. These packets are looking for holes in Microsoft's IIS software. Not one, not two... but SIXTEEN different holes! This, of course, is the rumored number. <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp>Here's the scoop.
For the first time ever, renegade code can be launched automatically -- even if you don't open the e-mail <http://www.lockergnome.com/images/ss/nimda.1.png>attachment. How so? Well, Nimda is an EXE in WAV's clothing. Huh? Outlook and Outlook Express see this menace as an innocent sound file. And, as you know, an embedded sound will be played back automatically in your mail client. But Nimda is NOT a sound file; the message's <http://www.lockergnome.com/images/ss/nimda.2.png>MIME type is spoofed to trick your client into "playing" the attachment. Preview window on or off, if you open the message, you could be in trouble. Again, IE 6 and (appropriately-patched) IE 5.x browsers should be safe in respect to auto-launching Nimda. At least, initially. If you double-click the attached README.EXE file, you're going to be in just as much trouble. Didn't click? Neither did I, but after checking my Temp folder this evening, I found a handful of EXEs <http://www.lockergnome.com/images/ss/nimda.3.png>masquerading as TMP files! Don't be fooled by that icon, either. This sucker is nasty. My suggestion: keep your eye on <http://www.sarc.com/avcenter/venc/data/w32.nimda.a () mm html>SARC and <http://vil.nai.com/vil/virusSummary.asp?virus_k=99209>McAfee. 



For archives see: http://www.interesting-people.org/
Previous By Date Next
Previous By Thread Next

Current thread: