W32.Nimda.A@mm - No Dak content

From: Mike (spammikeREMOVE@home.com)
Date: Thu Sep 20 2001 - 21:37:49 EDT


It seems as though there are several threads related to the latest virus
going around. I wanted to summarize some of the necessary details.

There are several ways to get infected:
- Email Propagation (reading an infected email message)
- Browser Propagation (browsing a compromised web site)
- File System Propagation (via network shares)

The most common method is via email. The bug is not actually in Outlook or
Outlook Express but in Internet Explorer. When you receive an email with
rich content (sound, HTML, etc.), IE is called to display it. The bug here
is in the MIME type handling. The message contains two parts, a text/html
section and a audio/x-wav section. The audio/x-wav section is where the
virus is. When IE sees a MIME type of "wav" it thinks it's a .wav file
(audio file) and tries to execute it to play the sound for you. In this
case it's executing the virus and infecting you. NOTE: You can get infected
just by reading the message!

Unpatched IIS web servers can spread the virus to web surfers. The virus
infects all web content on the server and when you read the page you can run
the virus code (based on your security settings).

You can also get the virus from infected users on your network (if they have
write access to any shares on your computer).

To protect yourself you should patch Internet Explorer with this patch:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

You can also update to the latest version of Internet Explorer (6.0) which
is not affected by this bug:
http://www.microsoft.com/windows/ie/downloads/ie6/default.asp

You can get more information on the virus at the sites below:

Microsoft Security Bulletin (MS01-020)
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-020.asp

W32.Nimda.A@mm on Symantec's website
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html

CERT Advisory CA-2001-26 Nimda Worm
http://www.cert.org/advisories/CA-2001-26.html



This archive was generated by hypermail 2b29 : Fri Jun 20 2003 - 12:02:53 EDT