http://www.computeruser.com/news/01/11/01/news5.html By Steven Bonisteel, Newsbytes. November 01, 2001 Some anti-virus companies are warning PC users and system administrators to be on the lookout for a new incarnation of the nefarious Nimda worm, which someone has tweaked -- to improve its performance. On Tuesday, Symantec's Security Response team said that because of the number of reports it has received since the new variant was spotted Monday, it had increased its severity rating for what is being called "Nimda.E" (or, by at least one other anti-virus company, "Nimda.D"). Symantec said Nimbda.E is similar to the original version of the Nimda worm that took the Net by storm in September with its ability to launch Code Red-like attacks on some Web servers at the same time that it was able to propagate as an e-mail and Web page attachment. However, Symantec reported, the new version has some "bug fixes" and other modifications, some of which were apparently designed to evade virus-checking software equipped to stop its predecessor. As an executable e-mail attachment, the Nimda worms' payloads can be launched when unsuspecting users click on the newly arrived files. It also takes advantage of an old bug in some systems using Microsoft's Internet Explorer and its Outlook e-mail programs to launch automatically when users simply view their mail. Once launched, Nimda generates its own list of numeric Internet protocol (IP) addresses it then probes for evidence of Microsoft IIS Web servers susceptible to a year-old security bug known as the Unicode directory transversal vulnerability. In addition, it can launch a variety of other attacks on IIS servers, including ones that take advantage of systems already cracked open and left vulnerable by the Code Red II worm. What's more, the Nimda worms can turn the Web pages of compromised servers into another vehicle for delivering to browsers a copy of the same code that it has been sending by e-mail. Virus researchers at U.K.-based Sophos -- which calls the new variant Nimda-D -- say that, when arriving as a file attachment, the worm is now contained in a file called Sample.exe, rather than Nimda.A's Readme.exe attachment. In addition, Sophos said, when Nimda is successful in breaking into a Microsoft IIS Web server, it uploads and launches a Windows dynamic link library file named HTTPODBC.DLL, rather than the ADMIN.DLL that, read backwards, gave the original Nimda worm its name. Depending on how the original worm was launched, it might overwrite the file called Mmc.exe in the system's Windows directory. Symantec's Security Response team said the new version will now copy itself to the file Csrss.exe in the Windows system folder, rather than use Mmc.exe. Symantec Security Response: http://securityresponse.symantec.com. Sophos: http://www.sophos.com. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Nov 02 2001 - 03:03:01 PST