Éditoriaux Défense Sécurité Terrorisme Zones de conflits Logistique Livres de référence Liens
Terre Air Mer Gendarmerie Renseignement Infoguerre Cyber Recherche

New Worm Spreads Through Internet, Experts Warn

New Worm Spreads Through Internet, Experts Warn

A new worm program is propagating on the Internet, according to monitoring organizations, and it could cause delays in traffic on the worldwide information network. File damage and network slowdowns could occur. Source: Washington File (EUR318), U.S. Department of State, Washington D.C., September 19, 2001.

The new worm is being called "W32.Nimda.A@mm," and the CERT Coordination Center (CERT/CC) at the Carnegie Mellon Software Engineering Institute says that it is designed to exploit system vulnerabilities that emerged as a result of the Code Red Worm, which spread through the international network in July and August 2001.

A computer worm is a destructive program that can spread on its own. W32.Nimda enters vulnerable computers using Microsoft Windows programs and multiplies through e-mail to other users, network shared files available to a computer, and from a Web server to a client through a compromised Web site, according to warnings issued by CERT/CC.

Attorney General John Ashcroft included a warning about the new worm in a September 18 briefing primarily devoted to the investigation into the September 11 terrorist attacks. He said W32.Nimda is not thought to be related to the four airliner hijackings and their crashes, despite some concerns those incidents might be followed by attempts to sabotage critical infrastructure.

Ashcroft said, "I'm pleased to say that I understand that most of the antivirus companies have posted the files needed to protect unprotected computers, and those files obviously are available at this time."

Industry and government organizations work in a coordinated way with the appearance of such a threat to the Internet to advise users on how a worm propagates, what to look for to avoid corruption, and how to protect the vulnerabilities in computer systems. Software manufacturers have also developed system "fixes" that correct the system vulnerability and are made available to users at no cost. More specific information is available in the texts below.

Following are excerpts of warnings issued by the National Infrastructure Protection Center (NIPC) and CERT/CC: (begin excerpt)

National Infrastructure Protection Center (www.nipc.gov), September 18, 2001

"Mass Mailing Worm W32.Nimda.A@mm"

The National Infrastructure Protection Center (NIPC) has received numerous reports that a new worm, named W32.Nimda.A@MM, is propagating extensively through the Internet worldwide. The worm is exhibiting many traits of recently successful malicious code attacks such as CODE RED but it is not simply another version of that worm.

The Nimda worm threatens Microsoft Internet Information Services on Windows 2000 and NT web servers and also individual users running Microsoft Outlook or Outlook Express for their mail service on any Windows platform (95, 98, and Millennium Edition). Preliminary analysis indicates that once a server is infected it will begin to scan for more vulnerable systems on the local network, which may result in a denial of service for that network. In the case of infected workstations as well as servers, the worm also makes the entire contents of the local primary hard drive (e.g. C Drive) available over the network. It is also believed that an additional user is added with administrative rights.

A computer can become infected through a variety of means ranging from simply viewing an infected webpage using a browser with no security enabled, to opening a malicious email attachment.

The NIPC and several other labs continue to analyze the Nimda worm. Expect additional updates in the near future. For the moment, system administrators and individual users should consider taking the immediate actions detailed below to protect their systems.

For system administrators:

Take appropriate steps to prevent the worm's attempts to distribute itself through the following means:

HTTP SCANNING for IIS vulnerabilities:

  • IIS MSDAC /root.exe
  • IIS UNICODE decoding cmd.exe
  • CODERED /root.exe
  • frontpage /cmd.exe

EMAIL (via IFRAMES and javascript)

  • readme.eml
  • readme.exe
  • getadmin.exe

TFTP DOWNLOADS

  • getadmin.exe
  • Admin.dll
  • Getadmin.dll

INTERNET EXPLORER HTTP iframe and javascript autoexec

  • readme.eml
  • readme.exe

OPEN WINDOWS FILE SHARING

  • readme.exe
  • readme.eml

For individual users:

Do not read or accept unexpected email file attachments. These emails should be deleted. Make sure browser security is enabled.

The anti-virus software industry is aware of this worm and has created a signature file to detect and remove it. Full descriptions and removal instructions can be found at various anti-virus software firms websites, including the following:

  • http://www.antivirus.com (Trend Micro)
  • http://www.ca.com (Computer Associates)
  • http://www.symantec.com http://vil.nai.com (McAfee)

Microsoft has posted critical updates at the following sites:

  • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-044.asp
  • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-020.asp

As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates, and to check for alerts put out by the NIPC, CERT/CC and other cognizant organizations.

Recipients of this advisory are encouraged to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to the other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.

(end excerpt)

(begin excerpt)

This is a joint press release from:

  • The Partnership for Critical Infrastructure Security (PCIS)
  • The Information Technology Association of America (ITAA)
  • The National Infrastructure Protection Center (NIPC)
  • The SANS Institute (System Administration, Networking and Security)
  • The CERT Coordination Center
 

Derniers articles

Verdun 2016 : La légende de la « tranchée des baïonnettes »
Eyes in the Dark: Navy Dive Helmet Display Emerges as Game-Changer
OIR Official: Captured Info Describes ISIL Operations in Manbij
Cyber, Space, Middle East Join Nuclear Triad Topics at Deterrence Meeting
Carter Opens Second DoD Innovation Hub in Boston
Triomphe de St-Cyr : le Vietnam sur les rangs
Dwight D. Eisenhower Conducts First OIR Missions from Arabian Gulf
L’amiral Prazuck prend la manœuvre de la Marine
Airmen Practice Rescuing Downed Pilots in Pacific Thunder 16-2
On ne lutte pas contre les moustiques avec une Kalachnikov...
Enemy Mine: Underwater Drones Hunt Buried Targets, Save Lives
Daesh Publications Are Translated Into Eleven Languages
Opération Chammal : 10 000 heures de vol en opération pour les Mirage 2000 basés en Jordanie
Le Drian : Daech : une réponse à plusieurs niveaux
Carter: Defense Ministers Agree on Next Steps in Counter-ISIL Fight
Carter Convenes Counter-ISIL Coalition Meeting at Andrews
Carter Welcomes France’s Increased Counter-ISIL Support
100-Plus Aircraft Fly in for Exercise Red Flag 16-3
Growlers Soar With B-1s Around Ellsworth AFB
A-10s Deploy to Slovakia for Cross-Border Training
We Don’t Fight Against Mosquitoes With a Kalashnikov
Bug-Hunting Computers to Compete in DARPA Cyber Grand Challenge
Chiefs of US and Chinese Navies Agree on Need for Cooperation
DoD Cyber Strategy Defines How Officials Discern Cyber Incidents from Armed Attacks
Vice Adm. Tighe Takes Charge of Information Warfare, Naval Intelligence
Truman Strike Group Completes Eight-Month Deployment
KC-46 Completes Milestone by Refueling Fighter Jet, Cargo Plane
Air Dominance and the Critical Role of Fifth Generation Fighters
Une nation est une âme
The Challenges of Ungoverned Spaces
Carter Salutes Iraqi Forces, Announces 560 U.S. Troops to Deploy to Iraq
Obama: U.S. Commitment to European Security is Unwavering in Pivotal Time for NATO
International Court to Decide Sovereignty Issue in South China Sea
La SPA 75 est centenaire !
U.S. to Deploy THAAD Missile Battery to South Korea
Maintien en condition des matériels : reprendre l’initiative
La veste « léopard », premier uniforme militaire de camouflage
Océan Indien 2016 : Opérations & Coopération
Truman Transits Strait of Gibraltar
Navy Unveils National Museum of the American Sailor
New Navy, Old Tar
Marcel Dassault parrain de la nouvelle promotion d’officiers de l’École de l’Air
RIMPAC 2016 : Ravitaillement à la mer pour le Prairial avant l’arrivée à Hawaii
Bataille de la Somme, l’oubliée
U.S., Iceland Sign Security Cooperation Agreement
Cléopatra : la frégate Jean Bart entre dans l’histoire du BPC Gamal Abdel Nasser
Surveiller l’espace maritime français aussi par satellite
America's Navy-Marine Corps Team Fuse for RIMPAC 2016
Stratégie France : Plaidoyer pour une véritable coopération franco-allemande
La lumière du Droit rayonne au bout du chemin





Directeur de la publication : Joël-François Dumont
Comité de rédaction : Jacques de Lestapis, Hugues Dumont, François de Vries (Bruxelles), Hans-Ulrich Helfer (Suisse), Michael Hellerforth (Allemagne).
Comité militaire : VAE Guy Labouérie (†), GAA François Mermet (2S), CF Patrice Théry (Asie).

Contact