[iwar] [fc:Researchers.say.Nimda.set.to.propagate.again]

From: Fred Cohen (fc@all.net)
Date: 2001-09-28 16:03:09


Return-Path: <sentto-279987-2495-1001718189-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 28 Sep 2001 16:04:07 -0700 (PDT)
Received: (qmail 16525 invoked by uid 510); 28 Sep 2001 23:03:24 -0000
Received: from n20.groups.yahoo.com (216.115.96.70) by 204.181.12.215 with SMTP; 28 Sep 2001 23:03:24 -0000
X-eGroups-Return: sentto-279987-2495-1001718189-fc=all.net@returns.onelist.com
Received: from [10.1.4.52] by n20.onelist.org with NNFMP; 28 Sep 2001 23:03:10 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 28 Sep 2001 23:03:09 -0000
Received: (qmail 45064 invoked from network); 28 Sep 2001 23:03:09 -0000
Received: from unknown (10.1.10.26) by m8.onelist.org with QMQP; 28 Sep 2001 23:03:09 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 28 Sep 2001 23:03:09 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id QAA17187 for iwar@onelist.com; Fri, 28 Sep 2001 16:03:09 -0700
Message-Id: <200109282303.QAA17187@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 28 Sep 2001 16:03:09 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Researchers.say.Nimda.set.to.propagate.again]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Researchers say Nimda set to propagate again

By Deborah Radcliff, Computerworld, 9/28/2001
<a href="http://www.infoworld.com/articles/hn/xml/01/09/27/010927hnnimbda.xml?0927alert">http://www.infoworld.com/articles/hn/xml/01/09/27/010927hnnimbda.xml?0927alert>

RESEARCHERS HAVE DISCOVERED a third vector to the Nimda worm, which is
set to propagate again through e-mail at 1 a.m.  ET Friday. 

"We rechecked the code base to Nimda, and we found a code set that is
supposed to respread Nimda through e-mail systems starting 10 days after
machines were first infected," said Oliver Friedrichs, director of
engineering at the Attack Registry and Intelligence Service.  That
service is sponsored by SecurityFocus, a business security firm in San
Mateo, Calif. 

Ten days after first infecting machines, the worm will attempt to
respread itself through readme.exe attachments, with the same payload as
its original mail-based infection. 

The impact could be significant or minute, depending on how well the IT
community has cleaned systems and patched Microsoft IIS (Internet
Information Server) and Outlook programs.  The 10-day vector will likely
be less severe than Nimda was the first time because more systems have
been patched against the vulnerabilities, Friedrichs said. 

But because Nimda has spread itself to so many places on computers,
networked systems may not have been cleaned enough to prevent widespread
mailings of the virus.  Therefore, Friedrichs advised IT managers to do
the following:

-- Double-check their patches. 

-- Make sure their anti-virus software blocks Nimda. 

-- Block executables files at the e-mail gateway. 

-- Alert users not to preview or open any attachments that say
readme.exe. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT