ITinfo: Redrum: Don't Spell Admin Backward

Site Directory
Membership
Train-the-Trainer
Trainer Certification
Certified Training Materials
ITinfo E-zine
Responsible Training
White Papers
Trainer Resources
What's New
Speaking Engagements
Onsite Training
ITrain Gear

Attack, Attack, Attack

Won't the script kiddies ever live us alone?

ITinfo Sponsor

ERROR: Random File Unopenable

The random file, as specified in the $random_file perl variable was unopenable.

The file was not found on your file system. This means that it has either not been created or the path you have specified in $trrandom_file is incorrect.

Redrum: Don't Spell Admin Backward

by Dave Murphy
ISSN 1535-3613

A newly-discovered Internet worm was detected in the United States yesterday and spread to China and Europe overnight. Today computer users who are connected to networks or the Internet will be facing a particularly nasty email-borne attacker: the Nimda worm.

Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable.

All end users and administrators running Microsoft Internet Explorer (ver. 5.01 or 5.5 without SP2), should install Microsoft's patch to correct the fault where a MIME header can cause MSIE to execute email attachments automatically. All Microsoft IIS administrators, who have not already done so, should also install the August 15, 2001 Cumulative Patch for IIS.

This is a mass-mailing worm, which also spreads via network shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft incorrect MIME Header vulnerability. It also attempts to create network shares, and utilize the backdoor created by the W32/CodeRed.c worm. The email subject line varies, message body is blank, and attachment name varies and may use the icon for an Internet Explorer HTML document.

Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.

Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents. The worm then sends itself to these addresses with either no subject line or a subject line containing a partial registry key path.

Some infected users have reported receiving the worm via an email attachment named readme.exe; however, this isn't the case in all instances.

Dave's Opinion

I was hoping to have some good news to report after last week's terrorist attacks in the United States. I've waited a week and all the news in the IT world has been sad. I'm disappointed that I have to pick up publication with another Internet worm report. Nimda is going to be a killer. Antivirus software vendors aren't ready for it. McAfee reports that virus definition 4160 is required, and that update isn't expected for another week.

I'm working on an article about computer security. After last week's attacks, we reviewed our security procedures in the office. We found that one minor change we had made three months ago left us in a very vulnerable position, and we didn't discover it until we went over our procedures with a fine tooth comb. I'll give you the details in the final report.

Call for Comments

What do you think? Leave your comments on the message center.

References

Message Center

Previous issues are on our website at http://itrain.org/itinfo/.

International Association of Information Technology Trainers
PMB 616
6030-M Marshalee Dr
Elkridge, MD 21075-5987

410.567.5366
1.888.290.6200
fax: 801.650.0423
Membership Director: member@itrain.org

Return to ITrain Homepage

http://itrain.org/itinfo/2001/it010919.html
updated September 19, 2001