15 May 2008
Virus News
NEWS ON NIMDA
Nimda is a new kind of
virus. It can infect via email, by visiting an infected website, by
seeking out vulnerable servers on the Internet and uploading its files to
it, or via a network. What makes Nimda unique is that it is the first worm
that actually infects other files. Typically, a worm just makes
carbon-copies of itself, all over the hard drive or, in modern times,
through email to others. Nimda, however, sticks its code into executable
(.EXE) files found on the local drives. This translates into one very wily
worm, that can lurk most anywhere and infect most anyone (provided they
are running Microsoft Windows (95/98/NT/2000/ME) on their PCs or Microsoft
IIS server software on their websites). Nimda's penchant for seeking out
vulnerable servers creates a virtual traffic jam on the Internet. The web
servers are so busy deflecting (or accepting) Nimda's probes, that others
on the Internet notice a slowdown. In some cases, the server itself comes
to a halt. This activity is known as a Denial of Service (DoS) attack.
Everyone who's infected with Nimda participates in this increased traffic,
with their compromised systems busily seeking other systems to compromise.
And that's just the beginning.
Nimda also emails itself
out to others, arriving in an email with an attachment named "README.EXE".
Don't open the attachment, you think? For users of Microsoft Outlook and
Outlook Express, who also happen to be using Internet Explorer version
5.01 or 5.5 (click Help | About in Internet Explorer to discover your
version) Nimda infects simply by reading the email. Actually, in the case
of Outlook Express, it infects simply by you previewing the email in the
Preview Pane. While this was resolved some time ago in Microsoft
Security Bulletin (MS01-020), many users (if not most) have not
installed the patch. If you aren't sure how to interpret your version
number to see whether you need the patch, Microsoft has a helpful page to
help
you determine the exact version. Users of other mail clients aren't
immune either. The difference is, the user will have to actually open the
attachment themselves. Unfortunately, history has shown that a large
percentage of people, when presented with an email attachment, simply
cannot resist opening it. No matter how the file is opened - by your mail
client or by you - once opened you will become infected. And, of course,
your system will then email the worm to others and you will become a
participant in the above mentioned Denial of Service attack.
When a web server
becomes infected, not only are files compromised by the virus, the whole
server is. Basically, the worm assigns administrative rights to what's
known as a "Guest" user - and no password is supplied. It also shares the
drives with the rest of the world, leaving the system open for all to
view. It does this on a PC as well, making confidentiality breaches and
compromised security an unpleasant side affect of this worm. Of course,
the newly infected server also joins in with all the other infected PCs
and servers on a seek and infect mission. Needless to say, within a very
short time that's a lot of background noise in an already constricted
pipeline.
For administrators or people who want to know the
full specifics about this virus take a look at this Technet article from
Microsoft more...
Common
Misconceptions
False. Nimda can infect any Windows 32-bit user.
That includes Windows 95, 98, NT, 2000, and ME.
Sort of True. Infected websites offer the virus to
unsuspecting visitors. Unpatched versions of Internet Explorer 5.01 and
5.5 will allow the file to be downloaded and run on your system without
your knowledge. Patched or newer versions will present you with the file
and ask if you want to run it or save it to disk. You should choose
"Cancel" if asked.
True, but...At least one of the many patches involved does
not support Netscape plug-ins. This alone has caused some adminstrators
not to adopt a particular patch. It is also not just one simple patch,
but a series of patches - some of which date back to 1999 - that must be
installed. Not all of these patches were considered critical updates and
thus not as widely adopted as perhaps they might have been.
False. You can still receive the file in email. If you choose
to open it, you will become infected. Likewise, if you visit an infected
website you are indeed vulnerable as described above.
False.
Antivirus software was not able to detect Nimda when it first came out.
Some are still having difficulties doing so. Check with your vendor to
be sure you are protected. And remember, there's almost certain to be a
variant of Nimda soon - just different enough to once again render your
antivirus software incapable of detecting it. If you're using software
that needs patching, patch it.
Prevention
Download and install the latest service pack for your browser.
 |
 |
 |
|
IE 6 |
IE 5.5 SP2 |
IE 5.01 SP2 |
Click on image to download required service pack
To Check your browser's version
- Click Help | About Internet Explorer from the menu
If you can't install the service pack then download and install these patches
- The patch provided in Microsoft Security Bulletin MS01-020.
- The patch provided in Microsoft Security Bulletin MS01-027.
For ongoing protection we recommend you use third party Anti-Virus software and keep it up-to-date with the latest virus definitions. Either one of these would be sufficient.
$39.99
£37.99To purchase either of these items Click on the US or UK flags to be taken to Amazon.com or Amazon.co.uk depending on your country of origin.
Removal
Instuctions for removal of this virus from an infected machine can be found here.
Majority of Article courtesy of about.com
|
Head Office - 56 Castle Hill Road - Hastings - East Sussex - TN34 3RH. United Kingdom |
||
|
|
|
