On 31 Dec 2001, at 12:22:38 [GMT +0800] (which was 5:22 where I live) Thomas F wrote:
TF> I keep telling everybody with virus problems that they must have TF> actively done something to allow the virus to be active on their TF> computers. Unfortunately, with the advent of viruses link Nimda and Badtrans-B, this is no longer the case. TF> If there is a new technology and a computer can be infected by TF> just web browsing (with the usual precautions), I'd like to know TF> about it. The newer viruses, where this could be a problem, make use of bugs in browser software, mostly in IE, that allow them to infect and then spread. In the case of Nimda, the virus abuses a bug in IIS that allows the virus access to the webserver. Then, due to the fact that it has several means of distribution, it further attacks computers from there. So, if for instance, your company has a Windows NT or Window 2000 server that is not up-to-date with the latest patches, it may get infected with Nimbda if there is an IIS running on it. Nimda will then use shares and various other means to transport itself to other computers. Even using the default shares that WinNT/Win2k machines have if I'm not mistaken. Badtrans-B uses a bug in IE that allows it to run without the user having given permission. This is done by faking the MIME header and thus tricking IE into thinking that the file is a harmless image, when in fact is is a script. Because IE forgets to check the file extension after having decided that the file is safe based on the MIME header, it just runs the file as it is, without noticing that it's actually executing something completely different using the decision that it's safe that was made on the grounds of the MIME header. In any case: both the IIS problem and the IE MIME-thingy have meanwhile been fixed by Microsoft, but it requires keeping up-to-date with the latest updates and patches to guard you against these things. Mostly the bugfix comes after one or more viruses have shown the problem which is too late. Most people aren't that prudent with keeping their systems up-to-date or even there virus-scanner for that matter. More information on the inner workings of Nimda an Badtrans can, for instance, be found via the website of the Symantec Anti-virus Recource Center at http://www.sarc.com/ . If you are interested in which viruses are most prominently present on the net today and how they spread across the world, have a look at the VirusEye page of http://www.messagelabs.com/ . Note that I'm not in any (commercial) way related to these two companies. I merely use Symantec's site most of the time because I maintain the anti-virus software at work which is based on their product. Conclusion: If you use The Bat! for e-mail and are not in the habit of opening html-attachments in you browser, or if your browser is something other than IE (or anything else that uses the IE controls), then you should be reasonably safe against viruses that spread using bugs in IE's html-renderer. Protection against buggers like Nimda that use multiple distribution methods, including network shares, is much more difficult. Best advice is to make sure that you keep your anti-virus patterns up-to-date (if your software allows it, set it to check for updates on a daily basis), run some kind of firewall software if you're on cable or xDSL and try to keep up with Microsoft's patches. You can help yourself doing the latter by installing a small tool that will alert you to available patches when you are on-line. You will find this tool among other patches and updates on http://windowsupdate.microsoft.com/ . -- Greetings, Maurice ICQ: 15724776 | WWW: http://www.kiap.org/ Using The Bat! v1.54 Beta/20 on Windows NT 5.0 Build 2195 Service Pack 2 -- ________________________________________________________ Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED] Unsubscribe: mailto:[EMAIL PROTECTED] Latest Vers: 1.53d FAQ : http://faq.thebat.dutaint.com
