Wrong worm...That is sadmind/IIS and has been around a while...The new bug looks like this: 09/18/01 Virus Alert Be on the alert for an email borne virus with the following characteristics: Name of attachment: README.EXE Description: W32/Nimda-A is a Windows 32 virus which spreads via email, network shares and websites. Affected emails have an attached file called README.EXE. The virus attempts to exploit a MIME Vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. The virus copies itself into the Windows directory with the filenames load.exe and riched20.dll (both have their file attributes set to "hidden"), and attempts to spread itself to other users via network shares. The virus alters the System.ini file to include the line shell=explorer.exe load.exe -dontrunold so that it executes on Windows startup. The virus forwards itself to other email addresses found on the computer. Furthermore, the virus looks for IIS web servers suffering from the Unicode Directory Traversal vulnerability. It attempts to alter the contents of pages on such servers, hunting for the following filenames: index.html index.htm index.asp readme.html readme.htm readme.asp main.html main.htm main.asp default.html default.htm default.asp If it finds one of the above files on the web server the virus attempts to alter the contents of the file, adding a section of malicious Javascript code to the end of the file. If the website is then browsed by a user with an insecure version of Internet Explorer, the malicious code automatically downloads a file called readme.eml onto the user's computer - which is then executed, forwarding the virus once more. The virus contains the following text: "Copyright 2001 R.P.China". For more information refer to: (Aliases: W32.Nimda.A@mm, W32/Nimda-A, Code Rainbow, Minda) Sophos: http://www.sophos.com/virusinfo/analyses/w32nimdaa.html Symantec: http://www.sarc.com/avcenter/venc/data/w32.nimda.aat_private Trend Micro: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A Claymore the unprofound -----Original Message----- From: Enrique A. Compań Gzz. [mailto:enriqueat_private] Sent: Tuesday, September 18, 2001 12:17 PM To: vuln-devat_private Subject: New Worm Yes, yes.... a new "$%"·$ worm. Again, by chinesse terrorist (I cannot refer them other way). an example of this (BECAREFUL) can be seen at http://64.218.116.235 Don't go there if you aren't protected. it downloads readme.eml automatically and executes. It seg faults on my machine... fortunally
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 17:05:55 PDT