While updating my virus thingy on our network, I spotted this recent addition to respective virus databases.
A computer worm that spreads to both servers and PCs running Microsoft software flooded the Internet with data on Tuesday.
Known as "Nimda" or "readme.exe," the worm spreads by sending infected e-mails, copying itself to computers on the same network and compromising Web servers using Microsoft IIS web software.
The server component of the virus exploits an old and previously patched flaw in IIS called the Unicode Directory Traversal vulnerability.
In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent because it automatically executes in Microsoft's Outlook e-mail software under the program's "medium" security setting.
"There appears to be a MIME exploit," said Eric Chien, chief researcher for antivirus software maker Symantec's European operations. "It appears that it is doing some kind of exploitation in e-mail."
SARC has the following details...
- There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email.
In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment.
Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares.
News source: CNET News
View Virus Info: Sophos - W32/Nimda-A (Full description and IDE files to detect virus available)
View Virus Info: McAfee - W32/Ninda@MM (Full details and .dat files to detech virus are available)
View Virus Info: SARC - W32.Nimda.A@mm (Full Analysis and patch available)