Tweet
'Nimda' worm hits net
Self-executing virus attacks IIS and Microsoft Outlook.
By Kevin Poulsen
Sep 17 2001 11:00PM PT
Experts are tracking a fast-spreading virus that propagates both by sending itself as an email attachment, and by hacking into vulnerable web servers.
According to an analysis by SecurityFocus' ARIS analysis team, the W32.Nimda.A@mm worm spreads by infecting Microsoft IIS servers that are open to known software vulnerabilities: the IIS 4.0/5.0 File Permission Canonicalization Vulnerability, the IIS/PWS Escaped Characters Decoding Command Execution Vulnerability, and the IIS/PWS Extended Unicode Directory Traversal Vulnerability. Fixes for all three holes are available from Microsoft.
The worm also attacks Microsoft Outlook users, arriving as an apparently blank message with an attachment called 'readme.exe'.
But unlike most so-called mass mailers, Nimda can infect Outlook and Outlook Express users who know better than to open strange attachments. By exploiting a bug in older versions of Internet Explorer discovered last March, the worm is able to infect victim computers when the email is read, or even displayed in Outlook's preview pane. A patch for the 'Microsoft IE MIME Header Attachment Execution Vulnerability' is available from Microsoft's web site.
The worm also spreads by putting a specially crafted page on the web servers it infects. Users of older versions of Internet Explorer who haven't installed Microsoft's patch can be infected by merely visiting a web site that's already fallen prey to the worm.
Once it's infected a machine, Nimda exposes local hard drives to the network, and spreads further through already-open file shares.
Cyber security mailing lists began buzzing with word of the W32.Nimda.A@mm worm Tuesday morning, after network administrators noticed a massive increase in probes for unpatched Microsoft IIS web servers.
No destructive payload has been identified in the worm, but network administrators report that it consumes massive amounts of bandwidth in its feverish search for vulnerable servers.
The virus comes at a time of heightened sensitivity to Internet attack.
On Monday the U.S. National Infrastructure Protection Center (NIPC) issued an advisory warning that a group of vigilante hackers called 'The Dispatchers' have threatened to launch distributed denial of service attacks against unnamed Internet hosts, in response to the September 11th terrorist attacks on the United States.
"The Dispatchers claim to have over 1,000 machines under their control for the attacks," the advisory reads. "It is likely that the attackers will mask their operations by using the IP addresses and pirated systems of uninvolved third parties."
Tuesday afternoon, the NIPC issued a warning about Nimda, and Attorney General John Ashcroft held a press conference on the worm. Though Nimda was launched exactly one week after the terrorism, Ashcroft said there was no apparent connection to those attacks.
Self-executing virus attacks IIS and Microsoft Outlook.
By Kevin Poulsen
Sep 17 2001 11:00PM PT
Experts are tracking a fast-spreading virus that propagates both by sending itself as an email attachment, and by hacking into vulnerable web servers.
According to an analysis by SecurityFocus' ARIS analysis team, the W32.Nimda.A@mm worm spreads by infecting Microsoft IIS servers that are open to known software vulnerabilities: the IIS 4.0/5.0 File Permission Canonicalization Vulnerability, the IIS/PWS Escaped Characters Decoding Command Execution Vulnerability, and the IIS/PWS Extended Unicode Directory Traversal Vulnerability. Fixes for all three holes are available from Microsoft.
The worm also attacks Microsoft Outlook users, arriving as an apparently blank message with an attachment called 'readme.exe'.
But unlike most so-called mass mailers, Nimda can infect Outlook and Outlook Express users who know better than to open strange attachments. By exploiting a bug in older versions of Internet Explorer discovered last March, the worm is able to infect victim computers when the email is read, or even displayed in Outlook's preview pane. A patch for the 'Microsoft IE MIME Header Attachment Execution Vulnerability' is available from Microsoft's web site.
The worm also spreads by putting a specially crafted page on the web servers it infects. Users of older versions of Internet Explorer who haven't installed Microsoft's patch can be infected by merely visiting a web site that's already fallen prey to the worm.
Once it's infected a machine, Nimda exposes local hard drives to the network, and spreads further through already-open file shares.
Cyber security mailing lists began buzzing with word of the W32.Nimda.A@mm worm Tuesday morning, after network administrators noticed a massive increase in probes for unpatched Microsoft IIS web servers.
No destructive payload has been identified in the worm, but network administrators report that it consumes massive amounts of bandwidth in its feverish search for vulnerable servers.
The virus comes at a time of heightened sensitivity to Internet attack.
On Monday the U.S. National Infrastructure Protection Center (NIPC) issued an advisory warning that a group of vigilante hackers called 'The Dispatchers' have threatened to launch distributed denial of service attacks against unnamed Internet hosts, in response to the September 11th terrorist attacks on the United States.
"The Dispatchers claim to have over 1,000 machines under their control for the attacks," the advisory reads. "It is likely that the attackers will mask their operations by using the IP addresses and pirated systems of uninvolved third parties."
Tuesday afternoon, the NIPC issued a warning about Nimda, and Attorney General John Ashcroft held a press conference on the worm. Though Nimda was launched exactly one week after the terrorism, Ashcroft said there was no apparent connection to those attacks.