The new NIMDA worm, a variant of the Code Red virus, sends itself out by email, searches for open network shares, exploits a bug in Microsoft Internet Explorer, and attempts to copy itself to unpatched Microsoft IIS web servers using the Unicode Web Traversal exploit.

A patch and information regarding the Unicode Web Traversal exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp .

Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served and due to an existing bug in Internet Explorer 5, it will automatically execute this file. Users running Microsoft Internet Explorer version 5.01 or greater, are advised to install a free patch available from Microsoft to prevent this method of infection.


You can find more information on NIMDA at:

• http://www.incidents.org/react/nimda.php
• http://vil.mcafee.com/dispVirus.asp?virus_k=99209&
• http://www.symantec.com/avcenter/venc/data/[email protected]
• http://www.cert.org/advisories/CA-2001-26.html
• http://www.nipc.gov/warnings/advisories/2001/01-021.htm
• http://slashdot.org/articles/01/09/18/151203.shtml

Those running IIS might want to consider purchasing a product like McAfee's SecureIIS Application Firewall to protect themselves against this and future attacks:
http://corporate.mcafee.com/content/software_products/secureiis.asp?cid=2443

[ 09-18-2001: Message edited by: Steve_M ]

could explain some of the slow-down.. I haven't found a patch yet, the ms site link was a 404

Sorry, the period at the end of the URL was added to the link. I removed it and the link now functions.

Oh, ok, thanks for the heads up.. we've been patched for quite a while now

Sorry, I wasn't trying to imply that UBBDev is infected...I wanted to get the word out to other IIS web server users in case they have not previously patched their server.

No problem... you are quite right to post it, especially since it appears to be a new worm trying to use old exploit(s)...

Is it a must to download this patch for my web browser? Will this worm do anything to my comp or just web servers I access?

ARGH! Just installed it... don't you LOVE the non-optional "YOU WILL RESTART YOUR COMPUTER NOW!! HIT OK!!" M$ put into all their hotfixes? At least this one doesn't have a countdown. *eyes narrow*

Apparently aimed at Win NT/2K, it will also mess up win98/me pc's. It uses 16 known exploits to really screw your computer over if you haven't patched it recently. One of the few attachements in email as well that you don't have to open for it to infect your pc, according to the guy on the radio a few minutes ago

Yes, if you are running Windows 95/98 you really need to install this patch, if you haven't already done so:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

hehehe. you silly outlook users. hehehe

Just a thought

I downloaded it and I got a Message saying "This update does not need to be installed". Whats going on?

[ 09-20-2001: Message edited by: Lord Dexter ]

Lord Dexter,

You probably previously applied the patch...most likely if you used windowsupdate.microsoft.com in the recent past.