Norman and F-Prot "appear" to be first from my checks. McAfee just updated
their site - _BUT NOTE_ you have to get the extra.dat for this specific
virus. A normal update will not get it.
Norton, Kaspersky and Trend aresilent on the subject.
Jerry
----- Original Message -----
From: "Jasmine" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 2:07 PM
Subject: Re: [imail] OT: Alert: New IIS Worm
> what about the rest of us who aren't using f-prot
>
> From: "Jerry Murdock" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Date sent: Tue, 18 Sep 2001 13:55:59 -0400
> Subject: Re: [imail] OT: Alert: New IIS Worm
> Send reply to: [EMAIL PROTECTED]
>
> FYI:
>
> F-Prot users. The update for this was just released. Get the new
fp-def.zip.
>
> Jerry
>
> ----- Original Message -----
> From: "Terrence Koeman" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 18, 2001 12:42 PM
> Subject: [imail] OT: Alert: New IIS Worm
>
>
> > Offtopic
> >
> > >From NTBUGTRAQ:
> >
> > ------------------------
> > There have been numerous reports of IIS attacks being generated by
> > machines over a broad range of IP addresses. These "infected"
> > machines are using a wide variety of attacks which attempt to exploit
> > already known and patched vulnerabilities against IIS.
> >
> > It appears that the attacks can come both from email and from the
> > network.
> >
> > A new worm, being called w32.nimda.amm, is being sent around. The
> > attachment is called README.EXE and comes as a MIME-type of
> > "audio/x-wav" together with some html parts. There appears to be no
> > text in this message when it is displayed by Outlook when in
> > Auto-Preview mode (always a good indication there's something not
> > quite right with an email.)
> >
> > The network attacks against IIS boxes are a wide variety of attacks.
> > Amongst them appear to be several attacks that assume the machine is
> > compromised by Code Red II (looking for ROOT.EXE in the /scripts and
> > /msadc directory, as well as an attempt to use the /c and /d virtual
> > roots to get to CMD.EXE). Further, it attempts to exploit numerous
> > other known IIS vulnerabilities.
> >
> > One thing to note is the attempt to execute TFTP.EXE to download a
> > file called ADMIN.DLL from (presumably) some previously compromised
> > box.
> >
> > Anyone who discovers a compromised machine (a machine with ADMIN.DLL
> > in the /scripts directory), please forward me a copy of that .dll
> > ASAP.
> >
> > Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
> > the following;
> >
> > edit %systemroot/system32/drivers/etc/services.
> >
> > change the line;
> >
> > tftp 69/udp
> >
> > to;
> >
> > tftp 0/udp
> >
> > thereby disabling the TFTP client. W2K has TFTP.EXE protected by
> > Windows File Protection so can't be removed.
> >
> > More information as it arises.
> >
> > Cheers,
> > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > ------------------------
> > Ok, whoa horsy, I've got lots of copies of ADMIN.DLL now thanks!
> >
> > Analysis is still on-going to determine precisely what the infecting
> > files do (there are potentially two, ADMIN.DLL and README.EXE).
> >
> > Some people have said their boxes seem unstable. It could be because
> > of numerous copies of TFTP.EXE in memory. At this point it might be
> > best to disconnect any computer that appears unstable from the
> > network, until such time as sufficient analysis has been performed to
> > advise how best to bring the box back on-line.
> >
> > It is also possible for client machines to perform the attacks that
> > we're seeing, if you have a way to filter outbound HTTP requests you
> > should look for anything that contains "/scripts" or "tftp" in the
> > URL and treat as suspicious.
> >
> > The internal threat by this one is no different (and maybe worse)
> > than CRII. We've seen indications of WnetEnumResource calls as well
> > as references to IPC$. There may be NetBIOS share activity associated
> > with the worm, and if so, it will likely spread rapidly internally.
> >
> > More than likely you will see the biggest effect in terms of a DoS
> > (from many source machines). This thing cares not whether you're an
> > IIS box or not, it tries regardless. As this spreads the effects may
> > become more severe (no, I'm not going to provide a quote on how
> > severe). Make sure you're inbound (and preferably your outbound)
> > router rules are restricted to only those protocols that must be
> > present, and ideally to machine IP addresses that should have access.
> >
> > More as it becomes available.
> >
> > Cheers,
> > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > ------------------------
> > Numerous people have reported that on IIS servers infected with
> > w32.nimda.amm, when visitors browse to their website the visitor is
> > offered up README.EML, which in turn downloads README.EXE to the
> > visitor.
> >
> > Please, check your IIS boxes now to see if you are infected. I've had
> > reports of IIS servers with more than 10,000 .eml files present
> > (mostly as a result of nimda).
> >
> > While we don't have any conclusive disinfecting procedures yet, any
> > IIS box that has been infected definitely shouldn't be available to
> > clients until we do.
> >
> > Cheers,
> > Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
> > ------------------------
> >
> >
> > --
> > Regards,
> >
> > Terrence Koeman
> >
> > Technical Director/Administrator
> > MediaMonks B.V. (www.mediamonks.nl)
> >
> > Please quote all replies in correspondence.
>
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
>
>
>
>
> ______________________________________________________________________
> The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
> Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
> Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
> To Manage your Subscription......... http://humankindsystems.com/lists
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
