|
Home > Archive > General Discussion > September 2001 > Virus alert!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Boulware5 2001-09-18, 1:36 pm |
| From wired.com:
A new e-mail worm that appears to be a retooled combination of several other successful worms -- and which an Internet security firm says was first released almost to the exact minute of the one-week anniversary of the World Trade Center attacks -- is spreading rapidly across the Internet.
This worm, named W32/Nimda.A-mm, is dangerously different than virtually all e-mail borne viruses: It can infect a computer when a user simply clicks on the subject line in an attempt to open the innocent-looking e-mail, or visits a Web page housed on an infected server.
The e-mails arrive from addresses both known and unknown to the recipient. No action beyond opening the e-mail is required; therefore, the virus is spreading rapidly. | |
|
| W32/Nimda-A is a Windows 32 virus which spreads via email, network shares and websites.
Affected emails have an attached file called README.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment.
The virus copies itself into the Windows directory with the filenames load.exe and riched20.dll (both have their file attributes set to "hidden"), and attempts to spread itself to other users via network shares.
The virus alters the System.ini file to include the line
shell=explorer.exe load.exe -dontrunold
so that it executes on Windows startup.
The virus forwards itself to other email addresses found on the computer. Furthermore, the virus looks for IIS web servers suffering from the Unicode Directory Traversal vulnerability. It attempts to alter the contents of pages on such servers, hunting for the following filenames:
index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp
If it finds one of the above files on the web server the virus attempts to alter the contents of the file, adding a section of malicious Javascript code to the end of the file.
If the website is then browsed by a user with an insecure version of Internet Explorer, the malicious code automatically downloads a file called readme.eml onto the user's computer - which is then executed, forwarding the virus once more.
The virus contains the following text: "Copyright 2001 R.P.China".
Microsoft makes available patches to secure against vulnerabilities in its products at: http://www.microsoft.com/technet/it...ity/current.asp | |
| Webmaster 2001-09-18, 2:30 pm |
| I have already received several of these emails. When clicking on the subject line a message pop-up aking you if you want to open readme.exe file. I always click NO to these messages. Clicking NO on this message is your only defense.
I also noticed that it appears that the email does not even have an attachement associated with it, so be carefull. | |
|
| Another one..!  | |
| Omletteboy 2001-09-18, 8:16 pm |
| Yup, encounter this virus today. Some big clients I consult for got hit by it.... | |
| Slinky 2001-09-18, 8:52 pm |
| I don't know if this is the same thing, but I encountered today what seems like a virus. In every folder on my hardrive I have what looks like an email attachment named "sample" and "desktop". They were all 78k in size. Everytime I deleted them they would just come back. Had over 500 of them, just eating up space on my hard drive.
Also I received what looked like a net send message yesterday saying my computer tried to infect another with the Code Red Virus, and that I download the patch immediately from Microsoft. Any of this related? |
|
|
|
|