Got this from another list I'm on. I have not checked it out but Rsk is
reliable and virtually hoax proof.
A new worm that hits Windows/IIS is loose this morning. It's spreading
VERY fast...my logs are scrolling so quickly that I can't even read them.
Reports are coming in on nanog, inet-access, and isp-webhosting.
See below for one vendor's analysis.
---Rsk
----- Forwarded message from "Braun, Mike" <[EMAIL PROTECTED]> -----
> From: "Braun, Mike" <[EMAIL PROTECTED]>
> Date: Tue, 18 Sep 2001 08:33:36 -0700
> Subject: FW: Worm probes
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>
>
> I received this warning from TruSecure regarding the latest worm attack.
>
> Mike Braun
> First American CREDCO
>
> -----Original Message-----
> TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
>
> Date: September 18, 2001
> Time: 1000 EDT
>
> RISK INDICES:
>
> Initial Assessment: RED HOT
>
> Threat: VERY HIGH, (rapidly increasing)
>
> Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
> 5.0, and internal networks.
>
> Cost: High, command execution is possible
>
> Vulnerable Systems: IIS 4.0 and 5.0
>
> SUMMARY:
> A new IIS worm is spreading rapidly. Its working name is Nimda:
> W32.nimda.a.mm
>
> It started about 9am eastern time today, Tuesday,September 18, 2001,
> Mulitple sensors world-wide run by TruSecure corporation are getting
> multiple hundred hits per hour. And began at 9:08am am.
>
> The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
> multiple vulnerabilities including:
>
> Almost all are get scripts, and a get msadc (cmd.exe)
> get_mem_bin
> vti_bin owssvr.dll
> Root.exe
> CMD.EXE
> ../ (Unicode)
> Getadmin.dll
> Default.IDA
> /Msoffice/ cltreq.asp
>
> This is not code red or a code red variant.
>
> The worm, like code red attempts to infect its local sub net first,
> then spreads beyond the local address space.
>
> It is spreading very rapidly.
>
> TruSecure believes that this worm will infect any IIS 4 and IIS 5
> box with well known vulnerabilities. We believe that there are
> nearly 1Million such machines currently exposed to the Internet.
>
> Risks Indices:
> Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
> Internet Web server hosts: TruSecure process and essential
> configurations should generally be protective. The vulnerability
> prevalence world-wide is very high
>
> Threat - VERY HIGH and Growing The rate of growth and spread is
> exceedingly rapid - significantly faster than any worm to date and
> significantly faster than any variant of Code red.
>
> Cost -- Unknown, probably moderate per infected system.
>
>
> The worm itself is a file called
> README.EXE, or ADMIN.DLL
> a 56K file which is advertised as an audio xwave mime type file.
>
> Other RISKS:
> There is risk of DOS of network segments by traffic volume alone
> There is large risk of successful attack to both Internet exposed IIS
> boxes and to developer and Intranet boxes inside of corporations.
>
> Judging by the Code Red II experience, we expect many subtle routes
> of infection leading to inside corporate infections.
>
> We cannot discount the coincidence of the date and time of release,
> exactly one week to (probably to the minute) as the World Trade
> Center attack .
>
>
> REPLICATION:
> There are at least three mechanisms of spread:
> The worm seems to spread both by a direct IIS across Internet (IP
> spread)
> It probably also spreads by local shares. (this is not known for
> sure at this time)
> There is also an email vector where README.EXE is sent via email to
> numerous accounts.
>
> Mitigations
> TruSecure essential practices should work.
> Block all email with EXE attachments
> Filter for README.EXE
> Make sure IIS boxes are well patched and hardened, or removed from
> both the Internet and Intranets.
> Make sure any developer computing platforms are not running IIS of
> any version (many do so by default if either.
> Disconnect mail from the Internet
> Advise users not to double click on any unexpected attachments.
> Update anti-virus when your vendor has the signature.
==================================================
For instructions on how to join or quit this list:
http://www.wclist.com/join.php
==================================================
-------------------------------------------------------
--
Ronnie
==================
Life can be a dream; or it can be a nightmare
it's all in your mind
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
