Join 3,501 readers in helping fund MetaFilter (Hide)


New worm doing the rounds.
September 18, 2001 9:01 AM   Subscribe

New worm doing the rounds. Great.
posted by nico (23 comments total)

 
One of our servers got hit. Still trying to figure out what to do about that.
posted by LeiaS at 9:07 AM on September 18, 2001


My servers are getting blasted already. Good thing they're OpenBSD.
posted by jakd at 9:21 AM on September 18, 2001


This could be very serious. At least one web security firm is issuing strong warnings that this new worm (dubbed 'Nimda') is spreading far more rapidly than Code Red, and that at least a million IIS servers are at risk.

A /. thread here has more info:

New Microsoft Worm.
posted by cfj at 9:41 AM on September 18, 2001


This could be very serious. At least one web security firm is issuing strong warnings that this new worm (dubbed 'Nimda') is spreading far more rapidly than Code Red, and that at least a million IIS servers are at risk.

A /. thread here has more info:

New Microsoft Worm.
posted by cfj at 9:46 AM on September 18, 2001


Oops, sorry for the double post. Back button mishap.
posted by cfj at 9:47 AM on September 18, 2001


i hate microsoft. i thought code red was bad, but i'm afraid to look at my referrer logs when i will have the chance...
posted by moz at 10:01 AM on September 18, 2001


You just reposted the original link twice.

Love, a safe little Mac User. (Oh, yeah.)

But I sympathize, really. ;-)
posted by mirla at 10:02 AM on September 18, 2001


I know. My bad.
posted by cfj at 10:06 AM on September 18, 2001


Even safe little Mac users aren't safe -- even though you won't get infected, you will still get hit with the traffic to all your favorite websites, no matter what server you are running them on. My safe little Apache sites got hammered this morning and the traffic keeps on coming. Worms don't discriminate. We all get screwed because of Microsoft's security holes.

It's called W32.Nimda.A@mm

Here's some links:
Wired article
Symantec summary
Newsbytes article
posted by barkingmoose at 10:21 AM on September 18, 2001


I'm getting hit too. Thank God for FreeBSD...
posted by fooljay at 10:29 AM on September 18, 2001


The entire internet is getting slammed by this worm: http://www.internettrafficreport.com/

One security email I received noted that it started just about to the minute of exactly one week since the first plane hit the WTC.
posted by LeiaS at 11:24 AM on September 18, 2001


damn... just looked at my logs and... damn.
posted by lotsofno at 1:37 PM on September 18, 2001


This could be very serious. At least one web security firm is issuing strong warnings that this new worm (dubbed 'Nimda') is spreading far more rapidly than Code Red, and that at least a million IIS servers are at risk.


Call me crazy but these are two old virus exploits in a new package. Why aren't all these corporate IIS servers patched yet? If CodeRed wasn't a call to get a sys admin off his ass and do the necessary patching I don't know what is.

Also, filtering out executable files should be standard in corporate america. Forcing everyone to use zip is a good idea. At least then you can't plead ignorance when you made the effort to unzip the file, copy it someplace, and run it.

The fact that so many businesses don't do anything about security just encourages virus writers.
posted by skallas at 1:55 PM on September 18, 2001


In support of the theory (re: LeiaS's email):

We cannot discount the coincidence of the date and time of release, exactly one week to (probably to the minute) as the World Trade Center attack.

~Trusecure site

Of course, I also heard this was a hoax to cover up the slowdowns caused by Carnivore ;)
posted by kd at 1:56 PM on September 18, 2001


Honestly, I have a hard time feeling sorry for all the people out there who are hit with this, seeing as they are still vulnerable to a bug found on October 17, 2000. Maybe this is the Darwinian equivalent in the computer world -- you don't patch your servers, and they don't survive.
posted by delfuego at 2:31 PM on September 18, 2001


I know that our server that was affected was up to date at least as of Code Red (it is not my duty to keep up with the patches). We ran the Microsoft tool for checking that all patches were up to date then (and probably since, I just am not aware of exact times). Is Nimda finding an unknown exploit?
posted by LeiaS at 2:41 PM on September 18, 2001


Is Nimda finding an unknown exploit?

It also uses an IE exploit to launch an outlook email. The last thing you want to do is put the IP of the vulnerable server into IE. I don't know if MS's tool checks for IE vulnerabilities.
posted by skallas at 3:40 PM on September 18, 2001


This is a very aggressive attacker. Reports are that the Nimda worm tries to exploit 16 different known vulnerabilities in IIS, contains an FTP component (that is used to install a DLL) and an SMTP server to send emails with attachments, and maybe worst of all, exploits an IE bug that allows a multipart MIME file to execute and infect a machine, simply by viewing a web page.

Here's the Microsoft Security Bulletin about it.
posted by cfj at 3:58 PM on September 18, 2001


The clones of this worm are gonna be *really* interesting to see...
posted by aramaic at 6:04 PM on September 18, 2001


cfj:

this patch seems to be the most recently recommended for the problem at hand.
posted by moz at 6:33 PM on September 18, 2001


Why doesn't somebody cook up a worm that causes physical damage somehow to unpatched IIS servers? That would seem to get admins off thier asses.
posted by canoeguide at 2:53 AM on September 19, 2001


Maybe this is the Darwinian equivalent in the computer world -- you don't patch your servers, and they don't survive.

Yes, but unlike Darwinian natrual selection, when one species kicks the bucket, it usually doesn't turn around and beat the hell out of all of the stronger species around it...
posted by fooljay at 10:52 AM on September 19, 2001


Trend Micro posted a free cleaner for "Nimda". This cleans the infected *.exe(s), and deletes the many *.eml, for starters. It did not seem to remove the added javascript from *.htm(l) and *.asp though. It got us back up.

The other major virus companies I have tried simply delete all infected files - some fix! I personally tried Norton, InoculateIT, and McAfee to no avail. What do they want the big money for?

Trend Micro - fix_nimda1.zip
posted by appsmith at 2:58 PM on September 19, 2001


« Older New Yorker profile of bin Laden from Jan '00...  |  Chechen Chat... Newer »


This thread has been archived and is closed to new comments