BANGALORE: Beware of the worm! The latest one to hit the circuit is called
Nimda. Categorized under threat level or Severe, W32.Nimda.A@mm is a new
mass-mailing worm that utilizes multiple methods to spread itself. The worm
sends itself out by email, searches for open network shares, attempts to copy
itself to unpatched or already vulnerable Microsoft IIS web servers, and is a
virus infecting both local files and files on remote network shares.
According to security experts, the worm uses the Unicode Web Traversal
exploit. A patch and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
When the worm arrives by email, the worm uses a MIME exploit allowing the
virus to be executed just by reading or previewing the file. Information and a
patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Users visiting compromised Web servers will be prompted to download an .eml
(Outlook Express) email file, which contains the worm as an attachment. Users
can disable 'File Download' in their internet security zones to prevent
compromise.
Also, the worm will create open network shares on the infected computer,
allowing access to the system. During this process the worm creates the guest
account with Administrator privileges.
W32.Nimda.A@mm attempts to infect unpatched Microsoft IIS web servers. On
Microsoft IIS 4.0 and 5.0, it is possible to construct a URL that would cause
IIS to navigate to any desired folder on the logical drive that contains the web
folder structure, and access files in it.
The worm found on September 18, presently has vaccine against it, except to
be careful and delete unrecognizable files coming via e-mail.