[ISN] Researchers say Nimda set to propagate again

From: InfoSec News (isnat_private)
Date: Fri Sep 28 2001 - 05:22:49 PDT

  • Next message: InfoSec News: "[ISN] Cisco firewall has a hole"

    [Sadly there is about twenty seperate companies subscribed to ISN that
    will never see this message because the word Nimda has been blocked by
    their virus protection software.  - WK]
    By Deborah Radcliff, Computerworld online 
    September 27, 2001 10:52 am PT
    RESEARCHERS HAVE DISCOVERED a third vector to the Nimda worm, which is
    set to propagate again through e-mail at 1 a.m. ET Friday.
    "We rechecked the code base to Nimda, and we found a code set that is
    supposed to respread Nimda through e-mail systems starting 10 days
    after machines were first infected," said Oliver Friedrichs, director
    of engineering at the Attack Registry and Intelligence Service. That
    service is sponsored by SecurityFocus, a business security firm in San
    Mateo, Calif.
    Ten days after first infecting machines, the worm will attempt to
    respread itself through readme.exe attachments, with the same payload
    as its original mail-based infection.
    The impact could be significant or minute, depending on how well the
    IT community has cleaned systems and patched Microsoft IIS (Internet
    Information Server) and Outlook programs. The 10-day vector will
    likely be less severe than Nimda was the first time because more
    systems have been patched against the vulnerabilities, Friedrichs
    But because Nimda has spread itself to so many places on computers,
    networked systems may not have been cleaned enough to prevent
    widespread mailings of the virus. Therefore, Friedrichs advised IT
    managers to do the following:
    -- Double-check their patches.
    -- Make sure their anti-virus software blocks Nimda.
    -- Block executables files at the e-mail gateway.
    -- Alert users not to preview or open any attachments that say
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 07:50:13 PDT