This is a Linux list. Linux users have not to worry about viruses.
Only Micro$oft can be infected....
Regards,
Jos.
Tyler Spivey
>
> Subj: Nimda Worm
>
> Hey,
>
> We have been receiving reports of a new worm from a large number of users.
> Instead of deluging BUGTRAQ with traffic more appropriate for INCIDENTS,
> we are posting a summary of the worm and the vulnerabilities it exploits:
>
> A new worm named W32/Nimda-A (known aliases are Nimda,
> Minda, Concept V, Code Rainbow) began to proliferate the morning of
> September 18, 2001 on an extremely large scale that targets the Microsoft
> Windows platform. It attempts to spread via three mechanisms; as an email
> attachment, a web defacement download, and through exploitation of known
> IIS vulnerabilities. Collateral damage include network performance
> degradation due to high consumption of bandwidth during the propagation
> process. There have been reports of Apache Servers being inadvertantly
> affected by Nimda by being subjected to a denial of service condition (the
> configuration of these servers is not known).
>
> This worm takes advantage of multiple vulnerabilities
> and backdoors. The worm spreads via e-mail and the web. Through the
> e-mail vector, the worm arrives in the users inbox as a message with a
> variable subject line. The e-mail contains an attachment named
> 'readme.exe'. This worm formats the e-mail in such a way as to take
> advantage of a hole in older versions of Internet Explorer. Outlook
> mail clients use the Internet Explorer libraries to display HTML e-mail,
> so by extension Outlook and Outlook Express are vulnerable as well, if
> Internet Explorer is vulnerable. The hole allows the readme.exe program
> to execute automatically as soon as the e-mail is previewed or read.
>
> Once it has infected a new victim, it mails copies of itself to other
> potential victims, and begins scanning for vulnerable IIS Web servers.
> When scanning for vulnerable IIS servers, it attempts to exploit the
> Unicode hole (bid 1806) and the escaped characters decoding command
> execution vulnerability (bid 2708). It also attempts to access
> the system via the root.exe backdoor left by Code Red II. Once it
> finds a vulnerable IIS server, it installs itself in such a way that
> visitors to the now-infected web site will be sent a copy of a .eml
> file, which is a copy of the e-mail that gets sent. If the victim is
> using Internet Explorer as their browser, and they are vulnerable to the
> hole, they will execute the readme.exe attachment in the same way as if
> they had viewed an infected e-mail message.
>
> Attack Data:
>
> Examination of the worm reveals the following attack strings
> used to exploit IIS Web servers.
>
> '/scripts/..%255c..'
> '/_vti_bin/..%255c../..%255c../..%255c..'
> '/_mem_bin/..%255c../..%255c../..%255c..'
> '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
> '/scripts/..%c1%1c..'
> '/scripts/..%c0%2f..'
> '/scripts/..%c0%af..'
> '/scripts/..%c1%9c..'
> '/scripts/..%%35%63..'
> '/scripts/..%%35c..'
> '/scripts/..%25%35%63..'
> '/scripts/..%252f..'
>
> To those strings are added /winnt/system32/cmd.exe?/c+dir
>
> Other attacks include:
>
> '/scripts/root.exe?/c+dir'
> '/MSADC/root.exe?/c+dir'
>
> It is believed that all of the vulnerabilities exploited by this worm are
> known.
>
> The links below provide fix information. Administrators and users are
> advised to apply patches as soon as possible. If further analysis
> concludes that other vulnerabilities are involved, updated information
> will be posted to the list.
>
> See:
>
> Bugtraq ID: 2524 / CVE ID: CAN-2001-0154
> Microsoft Security Bulletin MS01-020
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
> VulDB: http://www.securityfocus.com/bid/2524
>
> Bugtraq ID: 2708 / CVE ID: CAN-2001-0333
> Microsoft Security Bulletin MS01-026
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp
> VulDB: http://www.securityfocus.com/bid/2708
>
> Bugtraq ID: 1806 / CVE ID: CVE-2000-0884
> Microsoft Security Bulletin MS00-078
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp
> http://www.securityfocus.com/bid/1806
>
> Microsoft IIS Lockdown Tool:
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp
>
> References:
>
> Symantec W32.Nimda.A@mm
> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
>
> McAfee W32/Nimda@MM
> http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
>
> Sophos W32/Nimda-A
> http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
>
> For discussion of infection or attack attempts, subscribe to the INCIDENTS
> mailing list. For discussion of the worm itself and others, FORENSICS and
> FOCUS-VIRUS are more appropriate than BUGTRAQ.
>
> ---
>
> Dave Ahmad
> Security Focus
> www.securityfocus.com
>
>
>
> _______________________________________________
>
> Blinux-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/blinux-list
>
--
-------------------------------
Jos Lemmens
Madoerastraat 78
3131 ZL Vlaardingen
The Netherlands
Tel.: + 31-(0)10-248 0 266
E-mail: jos@jlemmens.nl
Homepage: www.jlemmens.nl