Return-Path: <sentto-279987-2091-1000951482-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 19 Sep 2001 19:07:10 -0700 (PDT)
Received: (qmail 25758 invoked by uid 510); 20 Sep 2001 02:05:22 -0000
Received: from n4.groups.yahoo.com (216.115.96.54) by 204.181.12.215 with SMTP; 20 Sep 2001 02:05:22 -0000
X-eGroups-Return: sentto-279987-2091-1000951482-fc=all.net@returns.onelist.com
Received: from [10.1.1.220] by hk.egroups.com with NNFMP; 20 Sep 2001 02:04:59 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 20 Sep 2001 02:04:42 -0000
Received: (qmail 83100 invoked from network); 20 Sep 2001 02:04:42 -0000
Received: from unknown (10.1.10.26) by 10.1.1.220 with QMQP; 20 Sep 2001 02:04:42 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 20 Sep 2001 02:04:58 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id TAA10011 for iwar@onelist.com; Wed, 19 Sep 2001 19:04:58 -0700
Message-Id: <200109200204.TAA10011@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 19 Sep 2001 19:04:58 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Hacker.Cracks.Islamist.Mailing.List]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
National Infrastructure Protection Center
"Mass Mailing Worm W32.Nimda.A@mm "
Advisory 01-022
September 18, 2001
The National Infrastructure Protection Center (NIPC) has received
numerous reports that a new worm, named W32.Nimda.A@MM, is propagating
extensively through the Internet worldwide. The worm is exhibiting many
traits of recently successful malicious code attacks such as CODE RED
but it is not simply another version of that worm.
The Nimda worm threatens Microsoft Internet Information Services on
Windows 2000 and NT web servers and also individual users running
Microsoft Outlook or Outlook Express for their mail service on any
Windows platform (95, 98, and Millennium Edition). Preliminary analysis
indicates that once a server is infected it will begin to scan for more
vulnerable systems on the local network, which may result in a denial of
service for that network. In the case of infected workstations as well
as servers, the worm also makes the entire contents of the local primary
hard drive (e.g. C Drive) available over the network. It is also
believed that an additional user is added with administrative rights.
A computer can become infected through a variety of means ranging from
simply viewing an infected webpage using a browser with no security
enabled, to opening a malicious email attachment.
The NIPC and several other labs continue to analyze the Nimda worm.
Expect additional updates in the near future. For the moment, system
administrators and individual users should consider taking the immediate
actions detailed below to protect their systems.
For system administrators:
Take appropriate steps to prevent the worm's attempts to distribute
itself through the following means:
$ HTTP scanning for IIS vulnerabilities
$ IIS MSDAC /root.exe
$ IIS UNICODE decoding cmd.exe
$ CODERED /root.exe
$ frontpage /cmd.exe
$ EMAIL (via IFRAMES and javascript)
$ readme.eml
$ readme.exe
$ getadmin.exe
$ TFTP downloads
$ getadmin.exe
$ Admin.dll
$ Getadmin.dll
$ Internet Explorer HTTP iframe and javascript autoexec
$ readme.eml
$ readme.exe
$ Open Windows File sharing
$ readme.exe
$ readme.eml
For individual users:
Do not read or accept unexpected email file attachments. These emails
should be deleted. Make sure browser security is enabled.
The anti-virus software industry is aware of this worm and has created a
signature file to detect and remove it. Full descriptions and removal
instructions can be found at various anti-virus software firms websites,
including the following:
! http://www.antivirus.com (Trend Micro)
! http://www.ca.com (Computer Associates)
! http://www.symantec.com
! http://www.vil.nai.com (McAfee)
Microsoft has posted critical updates at the following sites:
·
<a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-044.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-044.asp>
·
<a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-020.asp">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-020.asp>
As always, computer users are advised to keep their anti-virus and
systems software current by checking their vendor's web sites frequently
for new updates, and to check for alerts put out by the NIPC, CERT/CC
and other cognizant organizations.
Recipients of this advisory are encouraged to report computer intrusions
to me at either the telephone number or email address below, or NIPC,
and to the other appropriate authorities. Incidents may be reported
online at <a
href="http://www.nipc.gov/incident/cirr.htm">http://www.nipc.gov/incident/cirr.htm>.
The NIPC Watch and Warning Unit can be reached at (202)
323-3204/3205/3206 or nipc.watch@fbi.gov.
------------------
http://all.net/
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT