 |
|
||||||
 |
|
|
|
|
Information on the "Nimda" Worm
Actions You Should Take
End Users
http://library.boisestate.edu/authenticate/virus/
To prevent infection from email, update Internet Explorer with one of the following:
System Administrators1. Prevent the Code Red Worm II from infecting your system and use a Microsoft tool to repair systems that have been infected. (Code Red Worm II leaves a “back door” that Nimda exploits.) 2. Block the ”Web Server Folder Traversal” vulnerability by applying or installing any of the following:
3. Prevent spread through file shares by locking down permissions on all computers.
Additional InformationThe official name of the worm is W32/Nimda@MM, but it is generally referred to as the "Nimda" worm. It attempts to spread via three different means:
The worm spreads via email by sending a copy of itself within a mail that exploits the security vulnerability discussed in Microsoft Security Bulletin MS01-020. As the bulletin describes, the vulnerability lies in Internet Explorer, but is exploited via email. Simply opening the email itself would be sufficient to infect the machine – it would not be necessary to open an attachment. Anti-virus vendors are currently developing updated scanning tools that will detect and disarm mails sent by the virus. But even in the absence of these tools, patches and updated versions of IE have been available for some time to eliminate the vulnerability. Customers who have installed any of the updates listed earlier would be at no risk of infection by email.
Web ServersWhen the worm attacks IIS 4.0 and 5.0 web servers, it does so through either of two means. First, it checks to see if the machine was previously compromised by the Code Red II worm, which creates a "back door" that any malicious user can use later to gain control of the system. If the Nimda worm finds such a machine, it simply uses the back door created by Code Red II to infect the system. Second, the worm attempts to exploit the "Web Server Folder Traversal" vulnerability. If it succeeds in exploiting this vulnerability, the worm uses it to infect the system. A tool is available to remove the back door created by the Code Red II worm. However, the best course of action is to prevent the Code Red II worm altogether, as instructed in step 1 above.
File sharesThe final means by which the worm tries to spread is through file shares. Windows systems can be configured to allow other users to read files from them or write files to them. It is generally poor security practice to allow anyone to have access to your files and, by default, Windows systems only allow the authorized user of the system to access the files on it. However, if the worm finds a system that has been configured to allow other users to create files on it, it adds files that spread the infection. The Microsoft Personal Security Advisor can be used to determine whether you have any incorrectly configured shares on your system.
More ResourcesMicrosoft is continuing to investigate this worm, and will provide updated information as we learn it. In the meantime, additional information is available from the following sources:
News Site Boise State University had contracted with Micron Internet Services to provide Usenet News feed for the University. Micron Internet Services no longer provides a Usenet News feed. Because of the low number of users of News, the University will no longer provide a site license for news. There are news feeds available from a number of Internet sites. A small sample of sites that provide news are; http://www.help.com http://www.topica.com http://www.yahoo.com
Usenet News Usenet News is the equivalent of a discussion group or "bulletin board system" (BBS). With Usenet News you can keep track of the latest gossip about your favorite TV sitcom, discuss your sports heroes with other fans or find out what printer you should buy for your home PC. Newsgroups cover every imaginable topic (and some you can't imagine) -- some will help you with your work and others are simply for entertainment.
|
|
|
