Attack, Attack, Attack
Won't the script kiddies ever live us alone?
ERROR: Random File Unopenable
The file was not found on your file system. This means that it has either not been created or the path you have specified in $trrandom_file is incorrect.
Redrum: Don't Spell Admin Backwardby Dave Murphy
A newly-discovered Internet worm was detected in the United States yesterday and spread to China and Europe overnight. Today computer users who are connected to networks or the Internet will be facing a particularly nasty email-borne attacker: the Nimda worm.
Its main goal is simply to spread over the Internet and Intranet, infecting as many users as possible and creating so much traffic that networks are virtually unusable.
All end users and administrators running Microsoft Internet Explorer (ver. 5.01 or 5.5 without SP2), should install Microsoft's patch to correct the fault where a MIME header can cause MSIE to execute email attachments automatically. All Microsoft IIS administrators, who have not already done so, should also install the August 15, 2001 Cumulative Patch for IIS.
This is a mass-mailing worm, which also spreads via network shares, the Microsoft Web Folder Transversal vulnerability (also used by W32/CodeBlue), and a Microsoft incorrect MIME Header vulnerability. It also attempts to create network shares, and utilize the backdoor created by the W32/CodeRed.c worm. The email subject line varies, message body is blank, and attachment name varies and may use the icon for an Internet Explorer HTML document.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.
Email addresses are gathered by extracting the email addresses from MAPI messages in Microsoft Outlook and Microsoft Outlook Express, as well as from HTM and HMTL documents. The worm then sends itself to these addresses with either no subject line or a subject line containing a partial registry key path.
Some infected users have reported receiving the worm via an email attachment named readme.exe; however, this isn't the case in all instances.
Dave's OpinionI was hoping to have some good news to report after last week's terrorist attacks in the United States. I've waited a week and all the news in the IT world has been sad. I'm disappointed that I have to pick up publication with another Internet worm report. Nimda is going to be a killer. Antivirus software vendors aren't ready for it. McAfee reports that virus definition 4160 is required, and that update isn't expected for another week.
I'm working on an article about computer security. After last week's attacks, we reviewed our security procedures in the office. We found that one minor change we had made three months ago left us in a very vulnerable position, and we didn't discover it until we went over our procedures with a fine tooth comb. I'll give you the details in the final report.
Call for CommentsWhat do you think? Leave your comments on the message center.
Previous issues are on our website at http://itrain.org/itinfo/.
International Association of Information Technology Trainers
Copyright © 2001 International Association of Information Technology Trainers, Ltd., All Rights Reserved