ALERT NIMDA Worm...Patch your IIS Web Server, Disable JavaScript!! - 09/18/2001 10:30 PM
The new NIMDA worm, a variant of the Code Red virus, sends itself out by email, searches for open network shares, exploits a bug in Microsoft Internet Explorer, and attempts to copy itself to unpatched Microsoft IIS web servers using the Unicode Web Traversal exploit.
A patch and information regarding the Unicode Web Traversal exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp .
Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served and due to an existing bug in Internet Explorer 5, it will automatically execute this file. Users running Microsoft Internet Explorer version 5.01 or greater, are advised to install a free patch available from Microsoft to prevent this method of infection.
You can find more information on NIMDA at:
Those running IIS might want to consider purchasing a product like McAfee's SecureIIS Application Firewall to protect themselves against this and future attacks:
http://corporate.mcafee.com/content/software_products/secureiis.asp?cid=2443
[ 09-18-2001: Message edited by: Steve_M ]
A patch and information regarding the Unicode Web Traversal exploit can be found at http:/
Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served and due to an existing bug in Internet Explorer 5, it will automatically execute this file. Users running Microsoft Internet Explorer version 5.01 or greater, are advised to install a free patch available from Microsoft to prevent this method of infection.
You can find more information on NIMDA at:
- http:/
/ www.incidents.org/ react/ nimda.php - http:/
/ vil.mcafee.com/ dispVirus.asp?virus_k=99209& - http://www.symantec.com/avcenter/venc/data/[email protected]
- http:/
/ www.cert.org/ advisories/ CA-2001-26.html - http:/
/ www.nipc.gov/ warnings/ advisories/ 2001/ 01-021.htm - http:/
/ slashdot.org/ articles/ 01/ 09/ 18/ 151203.shtml
Those running IIS might want to consider purchasing a product like McAfee's SecureIIS Application Firewall to protect themselves against this and future attacks:
http:/
[ 09-18-2001: Message edited by: Steve_M ]