Nasty Nimda slows the net

— 12:02 AM on September 19, 2001

There's a new worm in town, and it's burrowing through every hole in Windows and Outlook with startling efficacy, slowing the Internet to a crawl. This thing uses a compilation of several known exploits to spread itself. Scary item number one: it uses a MIME exploit to make Outlook/Outlook Express open an e-mail attachment it mails to would-be victims. You don't have to open an attachment to get infected. Scary item number two: it uses an IIS hole to infect Windows-based web servers, spreading much like Code Red. Scary item number three: It creates a Guest account with Administrator privileges on infected boxes, then opens up network shares, exposing the box's contents to the world.

It also appears this wriggling beastie uses IRC and FTP to propagate itself, but the anti-virus types aren't quite sure about what all it does yet. I've heard that this thing gets its claws pretty deep into an infected system. You can find more info at Symantec's SARC, where they haven't yet posted instructions on removing the virus.

To protect against the IIS exploit, grab the MS patch here. The MIME exploit patch is online here. Neither of these is a new exploit, but it's best to make sure you're protected, since the costs of infection are high.

I watched this thing bang on the TR server for a while (no harm done; we run Apache) by grepping through the logs, and it seems the worm hits computers with similar IP addresses first. We were getting hit primarily from addresses that shared the first two octects with our own. (Search for "cmd.exe" requests if you want to check your own server logs.) Install those patches and update those anti-virus defintions, folks. Nimda is nasty.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.