Reproduced below is the text of a message sent by our List host, Avnet.
It describes the nature of the virus which surfaced last week and what to do
about
it. It is pertinent to subscribers using the MS
mail programs and I am airing it for information.
John Cliff
Europa Club List Forum minder
********************************************************************
Dear Customer,
You may be aware of a new mass e-mailing virus that appears to be extremely
infectious.
This virus is known as the Nimda worm (Admin
spelt backwards). The virus makes use of vulnerabilities present in the
Microsoft
Internet Information Server, which is optionally
installed with both Windows NT and Windows 2000. The virus can also arrive via
e-mail, and makes use of an exploit present in
Microsoft Outlook & Outlook Express that allows the virus to be executed by
simply
viewing or
previewing the e-mail.
WE STRONGLY RECOMMEND THAT YOU UPDATE YOUR VIRUS SOFTWARE USING THE LATEST DATA
FILES AVAILABLE, AND REMAIN AS CAUTIOUS AS EVER
ABOUT OPENING ANY ATTACHMENTS.
You should never trust attachments, even from people you know, if you are not
expecting
a file or if the text is very generic e.g.
"thought you might like these".
Nimda is a new network-aware, mass-mailing worm that infects both desktop PCs
and
IIS Web servers. When Nimda arrives by e-mail,
there is random text in the subject line, no body text, and an attached file
called
readme.exe. The worm infects PCs running Windows
95, 98, ME, NT, or 2000, and servers running Windows NT and 2000.
You can check for its presence on a machine by looking for a file named
me*.tmp.exe
in the TEMP directory and a file named load.exe
in the Windows system directory.
Nimda (W32.nimda.a@mm) combines the dangers of Code Red and the mass-mailing
worm
APost. Ultimately, the infection causes mail
servers to run slowly or shut down. It attacks at least a dozen known
vulnerabilities
on systems running Microsoft IIS and can also
spread via open shares to other connected machines on a network.
It exploits HTML (the language of Web page construction) and can be picked up
from
compromised Web sites where visitors are invited
to download a file which infects their machine so that - unknown to them - they
will pass it on as an attached file via e-mail. When
recipients open the file, the virus copies itself into the Windows system
directory
with the name Load.exe and copies over the
riched20.dll file in the same directory.
Once in place, the worm uses Mailing API (MAPI) functions to read address books
and send out copies of itself to yet more users. It
creates a file by the name me*.tmp.exe in the TEMP folder which contains the
file
attachment.
Nimda also spreads via Internet scan. From an infected IIS Web server, Nimda
scans
other Web servers looking for systems with
suitable vulnerabilities. If it gains access to a Web server, it attempts to
display
a Web page prompting users to download an
apparently innocent but infected file.
Although all of Houxou's servers are suitably protected from infection by this
type of worm, the huge load caused by scans from
other Internet hosts which have been compromised has caused congestion in many
areas of the Internet. So far however, we have not
experienced any noticeable deterioration in our own network performance.
Up to date anti-virus software will alert users to any danger when they arrive
at an 'infectious' Web site and Microsoft has
announced patches for most of the vulnerabilities that Nimda exploits. However,
until the majority of users have updated their
anti-virus software and until Web server and mail server operators around the
world
install adequate defences, the general danger
and the current 'Internet slowdown' caused by increased traffic will continue.
There is a free download available from MicroWorld which will remove the Nimda
worm from infected machines.
The file will:
Remove Nimda from memory
Remove Nimda traces from Inetpub (NT) directories
Remove Nimda from EML and NWS files
Remove Nimda from all EXE and DLL files
Remove references of Nimda from riched20.dll
Download from: http://www.microworldsystems.com/tools/clnimda.exe
Or: ftp://microworld.saratogaweb.com/download/clnimda.exe
Additional (particularly technical) information is available from CERT
(www.cert.org).
And at:
Symantec - http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
Trusecure -
http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.shtml
Best regards,
Aviators Network Customer Support
Email: support@aviators.net
Web: http://www.aviators.net
|