Worm not linked to attacks

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2001/0917/web-worm-09-19-01.asp

By Diane Frank 
Sept. 19, 2001

A new worm making its way around networks across the United States has
no connection to the Sept. 11 attacks on the World Trade Center and
the Pentagon, despite the fact that it hit exactly one week after the
attacks, according to Attorney General John Ashcroft.

The CERT Coordination Center at Carnegie Mellon University started
seeing signs of the worm, called "W32.Nimda," on the morning of Sept.
18 in the form of a "massive increase in scanning" directed at the
port used by all Internet traffic on networks. Nimda is the backwards
spelling of "admin," a common shortening of the system administrator
title.

Antivirus vendors followed quickly with analysis showing that one of
the ways the worm spreads is through e-mail messages with the
attachment "readme.exe." It exploits the same vulnerability in Web
servers running Microsoft Corp.'s Internet Information Server as was
used by the Code Red worm in July.

The worm spread quickly Sept. 18 and caused many network traffic
disruptions as it attempted to penetrate IIS servers worldwide.

Some analysts thought it might be connected to the terrorist attacks
because of a Sept. 17 advisory from the National Infrastructure
Protection Center at the FBI. The NIPC advisory warned about an
expected increase in distributed denial-of-service attacks. Such
attacks can cut off access to Web sites by flooding the server with
traffic from infected systems. The NIPC issued the advisory because of
comments from a group of hackers who said they were responding to the
Sept. 11 attacks.

But in a news briefing Sept. 18, Ashcroft said that "there is no
evidence at this time which links this infection to the terrorist
attacks of last week," according to Reuters.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.