BEWARE of NIMDA

simonbs

I got this from a friend:This is a mass-mailing worm, which also spreads via open shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft content-type spoofing vulnerability. It also attempts to create a share (c , and checks for the presence of the trojan dropped by the W32/CodeRed.c worm The email attachment name varies and may use the icon for an Internet Explorer HTML document.The most significant methods of propagation are as follows: The email messages created by the worm specify a content-type of audio/x-wav with an executable attachment type. Thus when a message is accessed, the attachment can be executed without the user's knowledge. When infecting, it appends HTML documents with javascript code which opens a new browser window containing the infectious email message itself (taken from the dropped file README.EML). Thus when this infected HTML is accessed (locally or remotely) the machine viewing the page is then infected. Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam. It creates a SYSTEM.INI entry to load the worm at startup:Shell=explorer.exe load.exe -dontrunold

shane

Thanks for the heads up!!

kimberkid

Trick your address book! Who among us doesn't know someone who has experienced the embarrassment of unknowingly spreading a computer virus via their email address book? It's time to STOP this from happening by TAKING CONTROL of your email program! For those who are unaware, many computer viruses spread themselves by sending themselves to everyone in your address book. Imagine how you would feel if you were unknowingly infected with a computer virus, and worse yet, your friends, family, and business contacts were being targeted by your computer! Well, if you want to avoid this sort of thing, here's a great tip: This tip won't prevent YOU from getting any viruses (you have to scan those attachments yourself before opening them to do that), but it will stop those viruses from latching onto your address book and sending itself out to others. To avoid spreading computer viruses, create a contact in your email address book with the name : !0000 with no email address in the details. This contact will then show up as your first contact. If a virus attempts to do a "send all" on your contact list, your pc will put up an error message saying that: "The Message could not be sent. One or more recipients do not have an e-mail address. Please check your Address Book and make sure all the recipients have a valid e-mail address." You click on OK and the offending (virus) message would not have been sent to anyone. Of course, no changes have been made to your original contacts list. The offending (virus) message may then be automatically stored in your "Drafts" or "Outbox" folder. Go in there and delete the offending message. Problem is solved and virus is not spread. Try this and pass on to your email contacts. The more people that use this technique, the less vulnerable we will be to viruses that spread in this manner!

---

GUN CONTROL: If you're not outraged, you're not paying attention!kimberkid@gunbroker.zzn.com

gunboob

Damn!!!! That sounds pretty good to me,...never would'a thought of that,...but, then again, I'm not in any running for any "computer good ideas", awards.Thanx,....Bob

redcedars

Wow!I don't understand simon's post at all, but I think I understand what Kimber is saying.Thanks for the help guys, I will put it to use.I don't open any e-mail unless I know the sender, but that doesn't protect me from stuff that looks like it is coming from someone I know.redcedars

218Beekeep

Wow simonbs,that made my brain tired,you sure know how to make a guy feel dumb.You sure you didn`t just make all that up and and post it for kicks?

---

Will the last reb to leave flarda,please bring the flag?[This message has been edited by 218Beekeep (edited 09-20-2001).]

Diesel Dummy

Huh??????????

simonbs

Check CNN, they have more info on the virus.TheSuperMonkeyMan probably knows how to explain it better than me. Maybe he'll see this and respond.

simonbs

A little update from my buddy:It has been discovered that the NIMDA virus is polymorphic and is changing with maturity. If you downloaded an update for your virus scanning software, you will probably need to download a new one to handle the shift in the virus functionality. A large number of servers are still spreading this virus. This Virus spreads in many different ways. Email that you do not have to open, infected web pages, shares disk drives. For more information you can visit the F-secure website: http://www.f-secure.com/v-descs/nimda.shtml Here's a brief excerpt from F-secure:NAME:NimdaALIAS:W32/Nimda.A@mmALIAS:W32/Nimda@mm, I-Worm.NimdaSIZE:57344This worm was found on September 18th, 2001. It quickly spread around the world. Nimda is a complex virus with a mass mailing worm component which spreads itself in attachments named README.EXE. If affects Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users. Nimda is the first worm to modify existing web sites to start offering infected files for download. Also it is the first worm to use normal end user machines to scan for vulnerable web sites. This technique enables Nimda to easily reach intranet web sites located behind firewalls - something worms such as Code Red couldn't directly do. Nimda uses the Unicode exploit to infect IIS web servers. This hole can be closed with a Microsoft patch, downloadable from: http://www.microsoft.com/technet/security/bulletin/ms00-078.asp

concealedG36

I've been fighting this damn thing for about 36 hours now. My workplace was hit very hard and I'm still trying to get things under control. We haven't yet lost any services, but several of my servers have been seriously damaged. The biggest challenge I'm facing, though, is from the user computers. We have something like 3000 machines, most of which are now infected, that will continue to perpetuate this worm even after I "clean" all the systems.Damn, I was hoping to get a little rest at work since the new baby at home won't allow it!