|New Worm Spreads Through Internet, Experts Warn |
New Worm Spreads Through Internet, Experts Warn
A new worm program is propagating on the Internet, according to monitoring organizations, and it could cause delays in traffic on the worldwide information network. File damage and network slowdowns could occur. Source: Washington File (EUR318), U.S. Department of State, Washington D.C., September 19, 2001.
The new worm is being called "W32.Nimda.A@mm," and the CERT Coordination Center (CERT/CC) at the Carnegie Mellon Software Engineering Institute says that it is designed to exploit system vulnerabilities that emerged as a result of the Code Red Worm, which spread through the international network in July and August 2001.
A computer worm is a destructive program that can spread on its own. W32.Nimda enters vulnerable computers using Microsoft Windows programs and multiplies through e-mail to other users, network shared files available to a computer, and from a Web server to a client through a compromised Web site, according to warnings issued by CERT/CC.
Attorney General John Ashcroft included a warning about the new worm in a September 18 briefing primarily devoted to the investigation into the September 11 terrorist attacks. He said W32.Nimda is not thought to be related to the four airliner hijackings and their crashes, despite some concerns those incidents might be followed by attempts to sabotage critical infrastructure.
Ashcroft said, "I'm pleased to say that I understand that most of the antivirus companies have posted the files needed to protect unprotected computers, and those files obviously are available at this time."
Industry and government organizations work in a coordinated way with the appearance of such a threat to the Internet to advise users on how a worm propagates, what to look for to avoid corruption, and how to protect the vulnerabilities in computer systems. Software manufacturers have also developed system "fixes" that correct the system vulnerability and are made available to users at no cost. More specific information is available in the texts below.
Following are excerpts of warnings issued by the National Infrastructure Protection Center (NIPC) and CERT/CC: (begin excerpt)
National Infrastructure Protection Center (www.nipc.gov), September 18, 2001
"Mass Mailing Worm W32.Nimda.A@mm"
The National Infrastructure Protection Center (NIPC) has received numerous reports that a new worm, named W32.Nimda.A@MM, is propagating extensively through the Internet worldwide. The worm is exhibiting many traits of recently successful malicious code attacks such as CODE RED but it is not simply another version of that worm.
The Nimda worm threatens Microsoft Internet Information Services on Windows 2000 and NT web servers and also individual users running Microsoft Outlook or Outlook Express for their mail service on any Windows platform (95, 98, and Millennium Edition). Preliminary analysis indicates that once a server is infected it will begin to scan for more vulnerable systems on the local network, which may result in a denial of service for that network. In the case of infected workstations as well as servers, the worm also makes the entire contents of the local primary hard drive (e.g. C Drive) available over the network. It is also believed that an additional user is added with administrative rights.
A computer can become infected through a variety of means ranging from simply viewing an infected webpage using a browser with no security enabled, to opening a malicious email attachment.
The NIPC and several other labs continue to analyze the Nimda worm. Expect additional updates in the near future. For the moment, system administrators and individual users should consider taking the immediate actions detailed below to protect their systems.
For system administrators:
Take appropriate steps to prevent the worm's attempts to distribute itself through the following means:
HTTP SCANNING for IIS vulnerabilities:
- IIS MSDAC /root.exe
- IIS UNICODE decoding cmd.exe
- CODERED /root.exe
- frontpage /cmd.exe
OPEN WINDOWS FILE SHARING
For individual users:
Do not read or accept unexpected email file attachments. These emails should be deleted. Make sure browser security is enabled.
The anti-virus software industry is aware of this worm and has created a signature file to detect and remove it. Full descriptions and removal instructions can be found at various anti-virus software firms websites, including the following:
- http://www.antivirus.com (Trend Micro)
- http://www.ca.com (Computer Associates)
- http://www.symantec.com http://vil.nai.com (McAfee)
Microsoft has posted critical updates at the following sites:
As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates, and to check for alerts put out by the NIPC, CERT/CC and other cognizant organizations.
Recipients of this advisory are encouraged to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to the other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or email@example.com.
This is a joint press release from:
- The Partnership for Critical Infrastructure Security (PCIS)
- The Information Technology Association of America (ITAA)
- The National Infrastructure Protection Center (NIPC)
- The SANS Institute (System Administration, Networking and Security)
- The CERT Coordination Center