[ISN] This version of Nimda worm is 'new and improved'

From: InfoSec News (isnat_private)
Date: Fri Nov 02 2001 - 00:43:45 PST

  • Next message: InfoSec News: "[ISN] Ryanair admits to serious website flaw"

    By Steven Bonisteel, Newsbytes.
    November 01, 2001
    Some anti-virus companies are warning PC users and system
    administrators to be on the lookout for a new incarnation of the
    nefarious Nimda worm, which someone has tweaked -- to improve its
    On Tuesday, Symantec's Security Response team said that because of the
    number of reports it has received since the new variant was spotted
    Monday, it had increased its severity rating for what is being called
    "Nimda.E" (or, by at least one other anti-virus company, "Nimda.D").
    Symantec said Nimbda.E is similar to the original version of the Nimda
    worm that took the Net by storm in September with its ability to
    launch Code Red-like attacks on some Web servers at the same time that
    it was able to propagate as an e-mail and Web page attachment.
    However, Symantec reported, the new version has some "bug fixes" and
    other modifications, some of which were apparently designed to evade
    virus-checking software equipped to stop its predecessor.
    As an executable e-mail attachment, the Nimda worms' payloads can be
    launched when unsuspecting users click on the newly arrived files. It
    also takes advantage of an old bug in some systems using Microsoft's
    Internet Explorer and its Outlook e-mail programs to launch
    automatically when users simply view their mail.
    Once launched, Nimda generates its own list of numeric Internet
    protocol (IP) addresses it then probes for evidence of Microsoft IIS
    Web servers susceptible to a year-old security bug known as the
    Unicode directory transversal vulnerability. In addition, it can
    launch a variety of other attacks on IIS servers, including ones that
    take advantage of systems already cracked open and left vulnerable by
    the Code Red II worm.
    What's more, the Nimda worms can turn the Web pages of compromised
    servers into another vehicle for delivering to browsers a copy of the
    same code that it has been sending by e-mail.
    Virus researchers at U.K.-based Sophos -- which calls the new variant
    Nimda-D -- say that, when arriving as a file attachment, the worm is
    now contained in a file called Sample.exe, rather than Nimda.A's
    Readme.exe attachment.
    In addition, Sophos said, when Nimda is successful in breaking into a
    Microsoft IIS Web server, it uploads and launches a Windows dynamic
    link library file named HTTPODBC.DLL, rather than the ADMIN.DLL that,
    read backwards, gave the original Nimda worm its name.
    Depending on how the original worm was launched, it might overwrite
    the file called Mmc.exe in the system's Windows directory. Symantec's
    Security Response team said the new version will now copy itself to
    the file Csrss.exe in the Windows system folder, rather than use
    Symantec Security Response: http://securityresponse.symantec.com.
    Sophos: http://www.sophos.com.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 02 2001 - 03:03:01 PST