Thanks Gary, I'll make sure our NT people know of the 4160 patch.
Here's some info that might be of interest.
IDG News Service, 09/18/01
A new worm that can infect all 32-bit Windows computers and
propagates using multiple methods spread across the world Tuesday
morning, according to Roger Thompson, technical director of malicious
code at TruSecure.
The worm, called Nimda (admin spelled backwards), can spread via e-
mail attachments, HTTP or across shared hard disks inside networks,
Thompson said. The worm can infect all 32-bit Windows systems -
Windows 98, 2000, Millennium Edition, XP, NT - because it scans
systems for between 10 and 100 different vulnerabilities and exploits
them when found, he said.
"It looks like they've made a Swiss Army knife," Thompson said,
referring to the number of different tools the worm can use to attack
systems.
"Every Win32 system is going to be vulnerable, if not from one
(vulnerability), then from another," he said.
When spread by e-mail, Nimda arrives in inboxes as an attachment
called "Readme.exe" or sometimes Readme.eml, Thompson said. The
Readme file, however, has a malformed header (the data at the
beginning of a file that allows a system to identify its type) which
makes the computer think it is a WAV, or sound, file, he said.
However, Readme.exe is in fact a program and can be executed just
from the preview panel when viewing it without it being opened, he
said.
Once the worm has infected a system, be it by HTTP, e-mail or disk
sharing, it then scans its local subnet looking for vulnerable
systems, Thompson said. Though some systems - such as those that are
up to date on their patches, are protected behind firewalls or are
filtering .exe attachments - will be safe from some aspects of the
worm, and the fact that it spreads via three methods makes it more
difficult to stop, he said. The spread of the worm across shared
disks, which are more than likely entirely unprotected, "is going to
be a real pain," he said.
The worm was discovered by Thompson's worldwide network of "worm
catcher" systems at 9:08 a.m. ET Tuesday, he said. Within half an
hour, it had spread across the whole world, he said.
"(Nimda) is certainly much faster, much more aggressive and much
bigger" than Code Red, Thompson said. Code Red was another recent
worm that caused a good deal of damage and consternation for systems
administrators worldwide.
Though Code Red did not ultimately have an impact on Internet
performance despite some initial claims to the contrary, "we may
actually see a hit on the Internet (and its performance)" with Nimda,
Thompson said.
Computer security bodies the Computer Emergency Response
Team/Coordination Center and Incidents.org both issued alerts about
increased activity on the Internet Tuesday, stating that the activity
may be related to the worm.
The spread of Nimda comes after warnings from a number of groups
saying that attacks on networks and Web sites were possibilities
after last Tuesday's terrorist attacks against New York and the
Pentagon, outside of Washington, D.C.
Though Thompson declined to comment on a possible connection between
this worm and those attacks, saying it was inappropriate, the
advisory released by TruSecure said, "we cannot discount the
coincidence of the date and time of release, exactly one week to
(probably to the minute) as the World Trade Center attack."
The IDG News Service is a Network World affiliate.
Here's some info that might be of interest.
IDG News Service, 09/18/01
A new worm that can infect all 32-bit Windows computers and
propagates using multiple methods spread across the world Tuesday
morning, according to Roger Thompson, technical director of malicious
code at TruSecure.
The worm, called Nimda (admin spelled backwards), can spread via e-
mail attachments, HTTP or across shared hard disks inside networks,
Thompson said. The worm can infect all 32-bit Windows systems -
Windows 98, 2000, Millennium Edition, XP, NT - because it scans
systems for between 10 and 100 different vulnerabilities and exploits
them when found, he said.
"It looks like they've made a Swiss Army knife," Thompson said,
referring to the number of different tools the worm can use to attack
systems.
"Every Win32 system is going to be vulnerable, if not from one
(vulnerability), then from another," he said.
When spread by e-mail, Nimda arrives in inboxes as an attachment
called "Readme.exe" or sometimes Readme.eml, Thompson said. The
Readme file, however, has a malformed header (the data at the
beginning of a file that allows a system to identify its type) which
makes the computer think it is a WAV, or sound, file, he said.
However, Readme.exe is in fact a program and can be executed just
from the preview panel when viewing it without it being opened, he
said.
Once the worm has infected a system, be it by HTTP, e-mail or disk
sharing, it then scans its local subnet looking for vulnerable
systems, Thompson said. Though some systems - such as those that are
up to date on their patches, are protected behind firewalls or are
filtering .exe attachments - will be safe from some aspects of the
worm, and the fact that it spreads via three methods makes it more
difficult to stop, he said. The spread of the worm across shared
disks, which are more than likely entirely unprotected, "is going to
be a real pain," he said.
The worm was discovered by Thompson's worldwide network of "worm
catcher" systems at 9:08 a.m. ET Tuesday, he said. Within half an
hour, it had spread across the whole world, he said.
"(Nimda) is certainly much faster, much more aggressive and much
bigger" than Code Red, Thompson said. Code Red was another recent
worm that caused a good deal of damage and consternation for systems
administrators worldwide.
Though Code Red did not ultimately have an impact on Internet
performance despite some initial claims to the contrary, "we may
actually see a hit on the Internet (and its performance)" with Nimda,
Thompson said.
Computer security bodies the Computer Emergency Response
Team/Coordination Center and Incidents.org both issued alerts about
increased activity on the Internet Tuesday, stating that the activity
may be related to the worm.
The spread of Nimda comes after warnings from a number of groups
saying that attacks on networks and Web sites were possibilities
after last Tuesday's terrorist attacks against New York and the
Pentagon, outside of Washington, D.C.
Though Thompson declined to comment on a possible connection between
this worm and those attacks, saying it was inappropriate, the
advisory released by TruSecure said, "we cannot discount the
coincidence of the date and time of release, exactly one week to
(probably to the minute) as the World Trade Center attack."
The IDG News Service is a Network World affiliate.
--- In vantage@y..., "Gary Polvinale" <garyp@d...> wrote:
> To the guy who created this virus...
>
> You had better hope that you never get caught. You definitely
picked the
> wrong time to be playing games with the data communications of the
free
> world. Unlike the corporate recruiting of most hackers that goes
on when
> they get caught, I believe you can expect to be drawn and
quartered - after
> the really bad stuff is done to you. And for a real treat, we
could have
> the government turn you loose in the streets of New York with a 30
second
> head start.
>
> Gary