Nimda.E - heads up

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/30/01 

Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F23C966@muskie.rc.on.ca>
Date:         Tue, 30 Oct 2001 10:39:36 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Nimda.E - heads up
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

A new version of Nimda (Nimda.E) is slowly propogating, both in email and
via the web. It appears to be exploiting the same vulnerabilities Nimda did
(MS00-060/MS00-078).

Via email it comes as either sample.eml, or sample.exe, and when it executes
it still drops riched20.dll, but now tries to download httpodbc.dll and
cool.dll. HTTP GETs include TFTP gets of these .dlls.

Httpodbc.dll is common on IIS systems and is included in Windows File
Protection (which won't prevent a trojan copy from being dropped into
directory other than \%systemroot%\system32\inetsrv). Cool.dll is common on
Windows 98 boxes but not NT 4.0 or Windows 2000.

IIS spreading is extremely slow at this point, we can only speculate as to
why. IIS boxes may be patched or disconnected.

Critical now is to ensure that you have updated your IE Browser to ensure
you're not running one that's vulnerable to MS01-020. You should be running
IE 5.01 SP2, IE 5.5 SP2, or IE 6.0 to be sure you're not vulnerable, or
apply the MS01-027 patch (which supercedes MS01-020).

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate

Relevant Pages

  • Re: Microsoft Security Bulletin MS03-007 - 815021
    ... It is important to note that this is not an IIS or even a WebDAV ... This patch should be applied to all Windows 2000 systems. ... > Nimda, and sadmind--UNIX and Windows) then you blame the admin. ...
    (microsoft.public.security)
  • Re: Microsoft Security Bulletin MS03-007 - 815021
    ... It is important to note that this is not an IIS or even a WebDAV ... This patch should be applied to all Windows 2000 systems. ... > Nimda, and sadmind--UNIX and Windows) then you blame the admin. ...
    (microsoft.public.win2000.security)
  • PWS and Code Red
    ... Subject: PWS and Code Red ... Although it has some code in common with IIS 4.0, ... There is no such thing as PWS on Windows 2000. ... TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE ...
    (NT-Bugtraq)
  • Re: been hit by hacker, servudaemon installed
    ... security patching on iis 4.0 ... security fixes into the new version. ... >install all service packs and patches from Microsoft, ... >>>Windows, Apache, you name it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: been hit by hacker, servudaemon installed
    ... security patching on iis 4.0 ... security fixes into the new version. ... :>install all service packs and patches from Microsoft, ... :>>>Windows, Apache, you name it. ...
    (microsoft.public.inetserver.iis.security)