Return-Path: <sentto-279987-3732-1004595743-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 31 Oct 2001 22:24:07 -0800 (PST) Received: (qmail 4176 invoked by uid 510); 1 Nov 2001 06:21:38 -0000 Received: from n3.groups.yahoo.com (216.115.96.53) by 204.181.12.215 with SMTP; 1 Nov 2001 06:21:38 -0000 X-eGroups-Return: sentto-279987-3732-1004595743-fc=all.net@returns.groups.yahoo.com Received: from [10.1.1.222] by n3.groups.yahoo.com with NNFMP; 01 Nov 2001 06:22:23 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 1 Nov 2001 06:22:23 -0000 Received: (qmail 13010 invoked from network); 1 Nov 2001 06:22:22 -0000 Received: from unknown (10.1.10.26) by 10.1.1.222 with QMQP; 1 Nov 2001 06:22:22 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1 with SMTP; 1 Nov 2001 06:22:22 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fA16MZE15676 for iwar@onelist.com; Wed, 31 Oct 2001 22:22:35 -0800 Message-Id: <200111010622.fA16MZE15676@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 31 Oct 2001 22:22:35 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:This.Version.Of.Nimda.Worm.Is.'New.And.Improved'] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit This Version Of Nimda Worm Is 'New And Improved' By Steven Bonisteel, Newsbytes, 10/31/2001 <a href="http://www.newsbytes.com/news/01/171693.html">http://www.newsbytes.com/news/01/171693.html> Some anti-virus companies are warning PC users and system administrators to be on the lookout for a new incarnation of the nefarious Nimda worm, which someone has tweaked - to improve its performance. On Tuesday, Symantec's Security Response team said that because of the number of reports it has received since the new variant was spotted Monday, it had increased its severity rating for what is being called "Nimda.E" (or, by at least one other anti-virus company, "Nimda.D"). Symantec said Nimbda.E is similar to the original version of the Nimda worm that took the Net by storm in September with its ability to launch Code Red-like attacks on some Web servers at the same time that it was able to propagate as an e-mail and Web page attachment. However, Symantec reported, the new version has some "bug fixes" and other modifications, some of which were apparently designed to evade virus-checking software equipped to stop its predecessor. As an executable e-mail attachment, the Nimda worms' payloads can be launched when unsuspecting users click on the newly arrived files. It also takes advantage of an old bug in some systems using Microsoft's Internet Explorer and its Outlook e-mail programs to launch automatically when users simply view their mail. Once launched, Nimda generates its own list of numeric Internet protocol (IP) addresses it then probes for evidence of Microsoft IIS Web servers susceptible to a year-old security bug known as the Unicode directory transversal vulnerability. In addition, it can launch a variety of other attacks on IIS servers, including ones that take advantage of systems already cracked open and left vulnerable by the Code Red II worm. What's more, the Nimda worms can turn the Web pages of compromised servers into another vehicle for delivering to browsers a copy of the same code that it has been sending by e-mail. Virus researchers at U.K.-based Sophos - which calls the new variant Nimda-D - say that, when arriving as a file attachment, the worm is now contained in a file called Sample.exe, rather than Nimda.A's Readme.exe attachment. In addition, Sophos said, when Nimda is successful in breaking into a Microsoft IIS Web server, it uploads and launches a Windows dynamic link library file named HTTPODBC.DLL, rather than the ADMIN.DLL that, read backwards, gave the original Nimda worm its name. Depending on how the original worm was launched, it might overwrite the file called Mmc.exe in the system's Windows directory. Symantec's Security Response team said the new version will now copy itself to the file Csrss.exe in the Windows system folder, rather than use Mmc.exe. Symantec Security Response: http://securityresponse.symantec.com . Sophos: http://www.sophos.com . ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:58 PST