On Mon, 12 Nov 2001, Reilly wrote: > I don't think I've seen a posting or action of the Nimda worm to infect > anything other than IIS. I have over 500 Netscape servers on the net and > none of them have had any problems. Everything in the logs shows only IIS > exploits. Some of our IIS servers were infected, about 100, and we were > able to clean them all with little to no problem without reformatting the > systems. > > Has anyone seen anything similar to what Jim has seen? Sure. Haven't you been receiving emails with a MIME attachment type of audio/x-wav? One of the worms that does that is Nimda, and most of those emails I receive of that type are one of the Nimda variants. It will infect vulnerable clients who visit an infected site. It will also infect .exe files, and copy itself to file shares. Once Nimda gets inside a Windows networking domain, it can be a real pain to get rid of. I helped a local high school do so recently. If an admin sits logs onto a Nimda infected box (which any student may have allowed to become infected through ignorance) then the DC will likely get compromised right away, and there go all the machines in the domain. I think what you're asking is if the HTTP server infection vector does anything besides IIS, and no it doesn't. What the original poster was saying is that you don't have to be running IIS to get it. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 08:29:03 PST