Virus Security Information Page

              MSNBC News

Symantec Security Check 

    ISC Logo       

Symantec Security Check is a free service designed to help you understand your computer's exposure to online security intrusions and virus threats. To access site click here .

Use Windows Update on a regular basis,  or Schedule Automatic Updates in Windows XP, Windows 2000, or Windows Server 2003  Click here for more details.  NOTE:  close ALL programs before you run updates.  If this is a host server your need to turn off all the services you can before you attempt any patch. Exchange Server may not work after a patch if this is not done.  U.S. Department of Homeland Security US-CERT strongly encourages users to install and maintain anti-virus software and exercise caution when handling attachments. Anti-virus software may not be able to scan password protected archive files so users must use discretion when opening archive files and should scan files once extracted from an archive.  Why should I run Windows update?
 

12/21/2001 Friday (MSN) WASHINGTON D.C. — The FBI’s top cyber-security unit warned consumers and corporations Friday night to take new steps beyond those recommended by Microsoft Corp. to protect against hackers who might try to attack major flaws discovered in the newest version of Windows software.  For more details click here .

12/20/2001 Thursday (Infoworld) MICROSOFT ISSUED A security bulletin Thursday to users of its Windows XP operating systems, warning of three "critical" holes in the software that leave a Windows PC vulnerable to hackers when it is logged on to the Internet. For more details click here .

12/19/2001 Wednesday (Infoworld) Reeezak worm offers holiday jeers - A NEW MASS-MAILER worm that offers New Year's greetings and what appears to be a holiday-related animation, but actually attempts to delete large portions of the Windows operating system, is spreading in the United States and Europe Wednesday, according to Computer Associates International.  For more details click here .  W32.Maldal.C@mm is a mass-mailing worm that is written in Visual Basic. The worm uses Microsoft Outlook to spread its infection. It also modifies your Internet Explorer home page.  For more information from Symantec click hereFrom more information from McAfee click here . 

12/04/2001 Tuesday (Infoworld) A NEW HIGH-RISK worm, called "Goner," which attempts to delete a number of program files on infected computers, including firewall applications, is spreading quickly Tuesday, according to a number of anti-virus firms. For more details click here .   -   (CNN) Antivirus companies warned people Tuesday about a rapidly spreading new e-mail worm that is capable of deleting certain computer programs.  For more details click here . W32.Goner.A@mm is a mass-mailing worm that is written in Visual Basic. The worm has been compressed using a known Portable Executable (PE)* file compressor. The worm can spread its infection using the ICQ network as well as by email using Microsoft Outlook. If IRC is installed, this worm can also insert mIRC scripts that will enable the computer to be used in Denial of Service (DOS) attacks. For more information from Symantec click here .  Symantec Security Response has posted a removal tool to assist in eradicating this worm. Please go here to read the instructions and download the removal tool.  From more information from McAfee click here .

10/30/2001 Tuesday (InfoworldA NEW VARIANT of the Nimda worm has appeared on the Internet, although exactly
how it is different or whether it will be more or less serious than the original worm is so far undetermined, anti-virus firms said Tuesday. Nonetheless, users are cautioned to patch their systems as soon as possible to prevent infection. (for more information click here)  Due to an increase in submissions, Symantec Security Response is upgrading the threat assessment of W32.Nimda.E@mm from Category 2 to Category 3. (for more information click here) 

10/11/2001 Wednesday (Internet Partners, Inc.)  Today we made a change to the eMail server that changes the name of certain types of eMail attachments.  In the example below the attached file "test.com" was changed to "test~com.dat".  So if this was a valid file you would first need to save it to a drive.  Once saved you would need to rename it back to "test.com".

10/04/2001 Thursday (Microsoft) Malformed Excel or PowerPoint Document Can Bypass Macro Security Issue:  Excel and PowerPoint have a macro security framework that controls the execution of macros and prevents macros from running automatically. Under this framework, any time a user opens a document the document is scanned for the presence of macros. If a document contains macros, the user is notified and asked if he wants to run the macros or the macros are disabled entirely, depending on the security setting. A flaw exists in the way macros are detected that can allow a malicious user to bypass macro checking

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-050.asp.

09/19/2001 Wednesday Kaspersky Labs Warns Not to Use the Internet or E-Mail without the Patch. Also, we urge the immediate installation of the Internet Explorer and IIS patches that block the aforementioned breaches. These patches not only repel "Nimda" attacks, but those of similar worms that could appear in the future.   (for more information click here) 

F-Secure Virus Descriptions Nimda

LIFECYCLE 

The actual lifecycle of Nimda can be split to four parts: 1) Infecting files, 2) Mass mailing, 3) Web worm and 4) LAN propagation. 

 

1) File infection 

Nimda locates EXE files from the local machine and infects them by putting the file inside its body as a resource, thus 'assimilating' that file. These files then spread the infection when people exchange programs such as games. 

2) Mass mailer 

Nimda locates e-mail addresses via MAPI from your e-mail client as well as searching local HTML files for additional addresses. Then it sends one e-mail to each address. These mails contain an attachment called README.EXE, which might be executed automatically on some systems. 

3) Web worm 

Nimda starts to scan the internet, trying to locate www servers. Once a web server is found, the worm tries to infect it by using several known security holes. If this succeeds, the worm will modify random web pages on the site. End result of this modification is that web surfers browsing the site will get automatically infected by the worm. 

4) LAN propagation 

The worm will search for file shares in the local network, either from file servers or from end user machines. Once found, it will drop a hidden file called RICHED20.DLL to any directory which has DOC and EML files. When other users try to open DOC or EML files from these directories, Word, WordPad or Outlook will execute RICHED20.DLL causing an infection of the PC. The worm will also infect remote files if it was started on a server. 

(Clink here for more information)

 

09/19/2001 Wednesday [UPDATE] -  (Symantec) Removal Tool Remove the infectious W32.Nimda.A@mm (Nimda) virus from your computer.   (Click here for more information)    W32.Nimda.A@mm is a new mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.  NOTE: Procedure to repair with Symantec products listed on this page.  (for more information click here) (McAfee) Virus Alert information page for the W32/Nimda@MM virus.  (for more information click here)   (Trend Micro) PE_NIMDA.A Spreading rapidly. Free fix tool now available.  (for more information click here)  

09/18/2001 Tuesday - [TechTV Call for Help] Avoid the Nimda Worm Although the worm will not damage a user's PC, it compromises Microsoft IIS servers, allowing anyone to access the system. According to Symantec Security Response, anyone visiting a compromised Web server will be prompted to download an Outlook Express email file containing the worm as an attachment.  (for more information click here)

09/18/2001 Tuesday -  CERT® Advisory CA-2001-26 Nimda Worm Original release date: September 18, 2001 Revised: September 19, 2001 Systems Affected: Systems running Microsoft Windows 95, 98, ME, NT, and 2000 Overview The CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears to spread by multiple mechanisms.  (for more information click here) 

Recommendations for System Administrators of IIS machines To determine if your system has been compromised, look for the following: 1. root.exe artifact (indicates a compromise by Code Red II or sadmind/IIS worms making the system vulnerable to the Nimda worm)  2. admin.dll artifact or unexpected .eml files in the directories with web content (indicates compromise by the Nimda worm)   (for more information click here)

09/18/2001 Tuesday -  (CNET) FBI assessing worm attack - A computer worm that spreads to both servers and PCs running Microsoft software flooded the Internet with data on Tuesday, but the FBI said that, as of yet, it sees no link to last week's terrorist attack.  (for more information click here)

09/06/2001 Friday -  (Symantec) W32.BlueCode.Worm  At this time, Symantec Security Response has not received any reports of this worm being "in the wild" (actual infections).  W32.CodeBlue is a worm that uses the known IIS Web Directory Traversal exploit. Information and a patch for this exploit are located at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp. Systems that have been patched are not affected.  (for more information click here)

08/16/2001 Thursday - CERT® Advisory CA-2001-23 Continued Threat of the "Code Red" Worm  The "Code Red" worm is malicious self-propagating code that exploits Microsoft Internet Information Server (IIS)-enabled systems susceptible to the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. Its activity on a compromised machine is time senstive; different activity occurs based on the date (day of the month) of the system clock. The CERT/CC is aware of at least two major variants of the worm, each of which exhibits the following pattern of behavior: (for more information click here)  CodeRed Removal Tool from Symantec. (Click here)

08/07/2001 Tuesday - (eEye Digital Security)  -- CodeRedII Worm Analysis  There is, in fact, a completely new worm loose on the Internet right now. It uses the same injection vector (the .ida vulnerability) as the first CodeRed worm, however this second worm has a completely different payload than the first worm. Therefore, this second worm is _NOT_ a variant of the first CodeRed worm. This is an entirely new worm. (for more information click here)

08/06/2001 Monday -  (CNN) -- A computer worm similar to "Code Red" could allow hackers to take control of infected Web sites, anti-virus experts warned Monday.  The new, more powerful bug installs a secret back door on infected Web servers, which could permit high-tech outlaws to sneak in and cause untold damage.  (for more information click here) 

07/30/2001 Monday -  FBI, CERT, others warn of reawakening Code Red - Bracing for the reawakening of Code Red, a malicious Internet worm, a number of U.S. government and private organizations on Sunday called on Web server administrators to ensure that their server software is up-to-date. (for more information click here) 

07/19/2001 Thursday - .ida "Code Red" Worm - Someone had released a worm for the .ida vulnerability. Within the logs we could see connection attempts from over five thousand IIS 5 Web servers targeting various other IIS Web servers and sending an .ida exploit to each of them. Evidence also showed that compromised hosts were being used to attack other hosts. (for more information click here)  

The CERT/CC has received reports of new self-propagating malicious code that exploits IIS-enabled systems susceptible to the vulnerability described in CERT advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. Other systems not directly vulnerable to this exploit may also be impacted. Reports indicate that two variants of the "Code Red" worm may have already affected more than 250,000 hosts. (for more information click here)  

07/19/2001 Thursday - W32.Sircam.Worm@mm - W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.  It creates copies of itself as %TEMP%\<File name> and C:\Recycled\<file name>, which contain the attached document. This document is then launched using the program registered to handle the specific file type (For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in you default zip program such as WinZip.) (for more information click here)

05/11/2001 Friday - Worm hits thousands of Solaris and IIS servers  Thousands of servers connected to the Internet have been compromised by a recently discovered worm, the Computer Emergency Response Team Coordination Center (CERT) and security Web site Attrition.org said Thursday. For more information (click here).

03/06/2001 Wednesday W32.Naked@mm  is a mass mailing worm that disguises itself as flash movie. The attachment will be named NakedWife.exe. This worm, after it has attempted to email everyone in the Microsoft Outlook addressbook, will attempt to delete several systemfiles. This will leave the system unusable, requiring a re-install. For more information see Symantec .

01/17/2001 Wednesday W97M.Melissa  is a Word 97 macro virus that has a payload to email itself using MS Outlook. The subject of the e-mail is "Important Message From USERNAME". This worm is functionally identical to the original W97M.Melissa.A worm that was discovered in 1999. For more information see Symantec .

 

©2000-2006 Internet Partners, Inc.
1800 NW 167th Place Suite 160 - Beaverton, Oregon 97006-8132
+1 503 690 2700    FAX +1 503 690 9700