Date: Wed, 19 Sep 2001 13:17:25 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET NEWS Subject: BCPL.NET NEWS: Virus Alert: Nimda Worm Spreading Rapidly --------------------------------------------- NIMDA WORM VERY DANGEROUS & SPREADING RAPIDLY --------------------------------------------- A new virus (actually a worm), popularly known as the "Nimda Worm" but technically known as "W32/Nimda@MM" or "W32/Nimda.A@MM", is spreading very rapidly and has the potential to cause a great deal of damage. The Nimda Worm affects PCs on which Outlook or Outlook Express are used for e-mail, PCs on which internet Explorer are used for Web browsing, and PCs on which Internet Information Server is used. It does not affect Macintosh or UNIX computers. An Associated Press article about Nimda in this morning's Baltimore Sun (see http://www.sunspot.net/technology/bal-te.internet19sep19.story) stated "Most home users, including those running Windows 95, 98 or ME, are not affected". This is NOT correct! The Nimda Worm uses several methods to spread its infection to other PCs: Via E-Mail: ---------- When a PC is infected, Nimda searches for e-mail addresses in three places: In Web pages cached on disk by the Web browser, in e-mail messages stored in the Inbox, and (possibly) in the user's address book. Once Nimda has compiled a list of addresses, it sends infected messages to them all. Nimda contains its own mail routines, so does not require Outlook Express or any other mail mail program to send its infected e-mail. The e-mail sent by Nimda has the following characteristics: The addresses used on the "From:" lines of the infected messages are taken from the address list compiled by Nimda on the infected PC (see above), so the messages do not appear to come from the owner of the infected PC. The message body is usually empty (no text). The message includes a file attachment which may or may not be visible. The attachment name varies, but may be "README.EXE". Your mail program may display the icon for an Internet Explorer HTML document in association with the attachment. The content-type associated with the attachment is audio/x-wav, which unpatched versions of Outlook and Outlook Express will automatically try to run. Therefore it isn't necessary to open the file attachment. Your PC will become infected if you open the infected e-mail, even in preview mode. Via Web Servers: --------------- The infected PC also searches the Internet (and local networks, if any) for Web servers running Microsoft Internet Information Server. When one is found, Nimda first checks to see if the server was previously compromised by the Code Red II worm. If so, Nimda uses the back door previously installed by Code Red II to infect the Web server. Otherwise Nimda uses several vulnerabilities in Internet Information Server to infect the server. Once a Web server is infected, Web pages on the server may be altered to include Java script code that will run automatically on a PC that accesses the page. The Java script causes a new browser window to be opened, containing a copy of the infected e-mail file attachment. An unpatched version of Internet Explorer will automatically try to open the file. Therefore your PC can become infected just by browsing Web pages on an infected Web site. Via File Sharing: ---------------- Once a desktop PC or a Web server is infected, Nimda searches the Internet (and the local network, if any) for other desktop PCs and servers that have file sharing enabled. If one is found, and if it is configured to allow users other than the owner to write files, Nimda puts files on that PC that spread the infection. How To Protect Your PC Against Nimda: ------------------------------------ Because of the methods the Nimda Worm uses to spread itself, there is no manual way you can protect against infection short of turning off your PC and packing it away in the attic. If your PC is on the Internet or on a local network with other PCs, it is very likely to become infected by Nimda unless you take the following precautions: If you use Microsoft Outlook, Microsoft Outlook Express, or Microsoft Internet Information Server on a PC running any version of the Microsoft Windows operating system, it is essential that you visit the following URL and apply the patches found there: http://www.microsoft.com/technet/security/topics/nimda.asp If you have an anti-virus program on your PC, use its update facility to download the latest version of the virus definition file (DAT file), or see the software vendor's Web site for instructions. BCPL Staff: ---------- BCPL's Desktop Support workgroup is investigating the simplest and least intrusive way to run the necessary Outlook, Outlook Express and Explorer patches on staff PCs. Staff will be notified via BCPL's internal mailing lists. Additional Information: ---------------------- See the following URLs for more detailed descriptions of the Nimda Worm and how it works. However be aware the information on these sites may be conflicting and may change frequently because the anti-virus specialists are still researching Nimda. http://www.F-Secure.com/v-descs/nimda.shtml http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html http://vil.mcafee.com/dispVirus.asp?virus_k=99209& -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091