----- Original Message -----
From: "Ian Kelly" <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 7:55 PM
>It's an IIS attack, not email based
It's both: Data so far:
This worm does the following:
1) Port scans IP addresses looking for open port 80 (web servers). Upon finding
a web server, it makes 16 different attempts to gain control, basically using
every major exploit in the book. If it gains control, it infects that web
server.
2) Upon infecting a webserver, it creats an open C drive share, and then
attempts to spread via network shares.
3) It creates the above named file, and modifies the infected web server's pages
(html & asp) pages to download the virus to folks viewing that web page. So,
anyone accessing an infected server will be presented with a popup to download
or open the file. There is a rumor that the e m l version will not present the
popup, it will automatically download and open in IE5.
4) Infected users computers will join in on the DDOS portscan/attack
5) Infected users computers will also spread via the normal Outlook e-Mail
addressbook methods.
Symantec has rated the threat level as a 4, SEVERE
See www.fsecure.com or
http://securityresponse.symantec.com the worm is called W32.Nimda.A@mm no
fixes or removal tools as yet. I had already stopped the virus before the
warnings came out. It will creat a file with the infection date and time in
your winnt directory called mmc.exe. There is a real mmc.exe in your
winnt/system32 directory, leave it alone. Rename the mmc.exe file in your
winnt dir to mmc.bad and reboot. Note the date and time of the file creation
as every webpage on your server that is infected will show the same date and
time. At the very bottom of each pages html you will find a javascript
added, it must be removed as well as searching your hard drive on you IIs
server and deleting all incidences of the file readme.eml. In my opinion
since there is no fix available as yet for the exploit, I would recommend
shutting down all sites your are hosting for the time being.
The worm W32/Nimda.A@mm is spreading very fast. It may arrive as an email with
the following charteristics:
Subject: None
Body: None
Attachment name: README.EXE
This worm may enter a computer in several ways - it will either be received as
an email with an attachment, over open shared drives in networks, and it seems
that it will also attempt to break into machines running the web server software
IIS (Internet Information Server), utilizing various security holes well known .
All IIS web server admins are encouraged to patch up their web server to protect
themselves. An accumulative patch for IIS servers is available from:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
When the infected file is run, it will copy itself to the system directory as a
hidden file called LOAD.EXE. This file is called from the file SYSTEM.INI so
that it is run from startup.
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
