[ISN] Worm not linked to attacks

From: InfoSec News (isnat_private)
Date: Thu Sep 20 2001 - 02:15:52 PDT

  • Next message: InfoSec News: "[ISN] German TV Hackers Crack Bank Server - Lawsuit Possible"

    By Diane Frank 
    Sept. 19, 2001
    A new worm making its way around networks across the United States has
    no connection to the Sept. 11 attacks on the World Trade Center and
    the Pentagon, despite the fact that it hit exactly one week after the
    attacks, according to Attorney General John Ashcroft.
    The CERT Coordination Center at Carnegie Mellon University started
    seeing signs of the worm, called "W32.Nimda," on the morning of Sept.
    18 in the form of a "massive increase in scanning" directed at the
    port used by all Internet traffic on networks. Nimda is the backwards
    spelling of "admin," a common shortening of the system administrator
    Antivirus vendors followed quickly with analysis showing that one of
    the ways the worm spreads is through e-mail messages with the
    attachment "readme.exe." It exploits the same vulnerability in Web
    servers running Microsoft Corp.'s Internet Information Server as was
    used by the Code Red worm in July.
    The worm spread quickly Sept. 18 and caused many network traffic
    disruptions as it attempted to penetrate IIS servers worldwide.
    Some analysts thought it might be connected to the terrorist attacks
    because of a Sept. 17 advisory from the National Infrastructure
    Protection Center at the FBI. The NIPC advisory warned about an
    expected increase in distributed denial-of-service attacks. Such
    attacks can cut off access to Web sites by flooding the server with
    traffic from infected systems. The NIPC issued the advisory because of
    comments from a group of hackers who said they were responding to the
    Sept. 11 attacks.
    But in a news briefing Sept. 18, Ashcroft said that "there is no
    evidence at this time which links this infection to the terrorist
    attacks of last week," according to Reuters.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 04:44:26 PDT