[ISN] Nimda resurgence falls flat

From: InfoSec News (isnat_private)
Date: Mon Oct 01 2001 - 03:18:28 PDT

  • Next message: InfoSec News: "Re: [ISN] Sudan Bank Hacked, Bin Laden Info Found - Hacker"

    By Robert Lemos
    Special to CNET News.com 
    September 28, 2001, 4:00 p.m. PT 
    A resurgence of the Nimda worm failed to materialize Friday, leaving
    unfulfilled warnings that several security companies made this week.
    The e-mail component of the worm, which sends infected messages to
    each entry in an infected computer's Outlook address book, reactivates
    10 days after the original infection. That part of the program had
    antivirus researchers and security experts worried that the Nimda worm
    was again set to spread quickly.
    But Friday morning, 10 days after the first infections started to take
    hold, few signs heralded a return of the worm.
    "We have been checking throughout the entire day, and we are not
    seeing anything," said John Harrington, director of marketing for
    e-mail filtering service MessageLabs. "Our gut feeling is that it is
    not going to happen."
    According to MessageLabs' Web site, the company has detected fewer
    than 1,600 copies of the virus since the start of the epidemic 10 days
    Nimda--which is "admin," the shortened form of "system administrator,"
    spelled backward--started spreading Sept. 18 and quickly infected PCs
    and servers around the world. Also known as "readme.exe" and
    "W32.Nimda," the worm is the first to use four different methods to
    infect not only PCs running Windows 95, 98, Me and 2000, but also
    servers running Windows 2000.
    The worm spreads by e-mailing itself as an attachment, scanning for
    and then infecting vulnerable Web servers running Microsoft's Internet
    Information Server software, copying itself to shared disk drives on
    networked PCs, and appending JavaScript code to Web pages that will
    download the worm to surfers' PCs when they view the page.
    The e-mail component of the worm sends Nimda-infected messages every
    10 days, counting from when the victim was originally infected. Since
    the virus is thought to have started Sept. 18 at 8:30 a.m. PDT, the
    first new e-mails should have started going out early Friday.
    Only a few infected computers may be left, however.
    Anti-virus software maker Trend Micro said that while some companies
    reported infections Friday, the number is still low.
    "We've seen a few infections in organizations that haven't done a
    complete cleaning, but it's limited," said company spokeswoman Susan
    Furthermore, compromised servers and PCs without Outlook installed
    will only have a limited number of e-mail addresses to which to send
    messages. The worm also scans the browser cache on computers for saved
    Web pages that contain e-mail addresses and sends infected messages to
    those addresses as well.
    Servers that aren't used to browse the Internet will not have such a
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 13:32:35 PDT