Symantec today announced that new analysis of W32.Nimda.A@mm reveals that the worm contains an additional destructive payload that will not only require detection, but removal. The new analysis indicates that the worm is a file infector, infects .exe files resides in memory.
W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by e-mail, infects machines over the network, and infects unpatched or already vulnerable Microsoft IIS Web servers. The worm also has various side effects, such as increasing network traffic while searching for machines to infect, which may cause network bandwidth problems. W32.Nimda.A@mm will also attempt to create security holes by creating a guest account with administrator privileges and create open shares on the infected system.
Symantec currently provides an integrated detection and repair solution against W32.Nimda.A@mm. In one step, users can download a solution that will simultaneously detect the worm and repair damaged files. Symantec is developing a separate removal tool to eradicate the worm from the PC memory.
"Using blended Internet security threats the combination of viruses, exploits, or vulnerabilities to attack businesses and destroy assets, continue to rise," said Vincent Weafer, senior director of Symantec Security Response. "To combat such a fast spreading threat, Symantec integrated its solution for W32.Nimda.A@mm to detect and repair, allowing for quick clean up with little downtime."
Symantec Security Response recommends that IT administrators implement the following to stop the propagation of W32.Nimda.A@mm:
- Block e-mails containing a "readme.exe" attachment.
- Update virus definitions and ensure that firewalls are correctly configured.
- Download the latest security updates for Enterprise Security Manager and NetRecon.
- Install the IIS Unicode Transversal security patch.
- Install the malformed MIME header execution security patch.
- Close network share drives.
- Use Symantec's LiveUpdate feature to obtain the latest virus definitions.
- Use the Windows Update feature located on the "Start" menu on Window 95 and higher systems to download new security patches.
- Disable the "File Download" feature in Internet Explorer to prevent compromise.
Both consumers and enterprises can be infected through a variety of methods.
- Use Symantec's LiveUpdate feature to obtain the latest virus definitions.
- E-mail One of the methods the worm uses to infect PCs though is e-mail. The e-mail arrives with an attachment readme.exe that is not always visible and contains a randomly generated subject line and no body message. The worm uses its own SMTP engine to e-mail itself out to all the addresses it collects by searching the user's incoming and outgoing e-mail boxes. Internet Explorer users v5.01 or v5.5 - (IE 5 with the Service Pak 2 or later installed or IE 6 are not affected) will receive a blank e-mail no subject line, no body and a hidden attachment. Just opening the e-mail can infect users' PCs.
Shared Drives PC users with shared drives enabled are also at risk. The worm searches for open network shares and will attempt to copy itself to these systems and then execute. IT administrators should close all network shared drives.
Web sites When users visit a compromised Web site, the server will run a script attempting to download an Outlook file, which contains the W32.Nimda.A@mm worm. The worm will create an open network share on the infected machine allowing access to the system. W32.Nimda.A@mm specifically targets versions of IIS servers, taking advantage of the known Universal Web Traversal exploit (MS Security Bulletin MS00-078), which is similar to the exploit used in the Code Red attack. Compromised servers will display a Web page and attempt to download an Outlook file that contains the worm as an attachment.
Norton AntiVirus 2004 - Norton AntiVirus is one of the world's most trusted antivirus solutions. It's always working in the background to protect your PC from dangers lurking on the Internet and other possible sources of infected files. Now it repairs common virus infections automatically, without interrupting your work. The latest virus definitions are downloaded automatically when you connect to the Internet, ensuring that your PC's protection stays up-to-date. Even between updates, Symantec's exclusive Script Blocking technology defends against fast-moving threats by identifying and stopping new script-based viruses, such as I Love You and Anna Kournikova. To safeguard your PC and prevent it from spreading viruses to your friends and colleagues, Norton AntiVirus scans and cleans both incoming and outgoing messages. As a Norton AntiVirus user, you're also backed by the Symantec Security Response team, formerly known as the Symantec AntiVirus Research Center. These experts are working to protect your computer 24 hours a day, developing new defenses whenever a virus is discovered. A new user interface makes Norton AntiVirus 2002 easier to use, and you can even access many of its functions instantly from the Windows Explorer toolbar.
Malicious Mobile Code: Virus Protection for Windows - Malicious mobile code is a new term to describe all sorts of destructive programs: viruses, worms, Trojans, and rogue Internet content. Until fairly recently, experts worried mostly about computer viruses that spread only through executable files, not data files, and certainly not through email exchange. The Melissa virus and the Love Bug proved the experts wrong, attacking Windows computers when recipients did nothing more than open an email. Today, writing programs is easier than ever, and so is writing malicious code. The idea that someone could write malicious code and spread it to 60 million computers in a matter of hours is no longer a fantasy. The good news is that there are effective ways to thwart Windows malicious code attacks, and author Roger Grimes maps them out in Malicious Mobile Code: Virus Protection for Windows. His opening chapter on the history of malicious code and the multi-million dollar anti-virus industry sets the stage for a comprehensive rundown on today's viruses and the nuts and bolts of protecting a system from them. He ranges through the best ways to configure Windows for maximum protection, what a DOS virus can and can't do, what today's biggest threats are, and other important and frequently surprising information. For example, how many people know that joining a chat discussion can turn one's entire computer system into an open book? Malicious Mobile Code delivers the strategies, tips, and tricks to secure a system against attack. It covers: The current state of the malicious code writing and cracker community How malicious code works, what types there are, and what it can and cannot do Common anti-virus defenses, including anti-virus software How malicious code affects the various Windows operating systems, and how to recognize, remove, and prevent it Macro viruses affecting MS Word, MS Excel, and VBScript Java applets and ActiveX controls Enterprise-wide malicious code protection Hoaxes The future of malicious mobile code and how to combat such code . These days, when it comes to protecting both home computers and company networks against malicious code, the stakes are higher than ever. Malicious Mobile Code is the essential guide for securing a system from catastrophic loss.
E-mail Virus Protection Handbook : Protect your E-mail from Viruses, Tojan Horses, and Mobile Code Attacks - MAll of the big viruses of recent times (think "Melissa" and the "Love Bug") have used e-mail protocols to propagate themselves--often taking advantage of the address-book features of e-mail clients to identify their victims. The E-mail Virus Protection Handbook explores how you, as an administrator of an e-mail server (and perhaps some of the network resources that surround it), can protect your users from productivity loss that results from e-mail virus infection. This book is best suited to administrators of smallish networks who have responsibility for (and direct control over) firewalls and network-wide antivirus strategies, as well as e-mail readers on the client side. The authors of this volume (and there are several) begin by explaining how and why e-mail viruses work--they point the finger mainly at software that's designed for slick presentation of mail instead of for security, as well as at uninformed end users. Then, they begin to explain what various countermeasures, including antivirus software and firewalls, can do, and offer specific configuration advice. They also explore means of configuring popular e-mail servers and clients for maximum resistance to viruses. Overall, this book is carefully researched and should provide system administrators with the information--both practical and background--that they need to protect their systems from some of the more insidious threats around. Topics covered: Malicious code that's spread through e-mail clients, servers, and protocols, and how to defend against it. Specifically, the book deals with antivirus software--both network-wide and for single clients--and configuration policies for Outlook 2000, Outlook Express 5.0, and Eudora 4.3 on the client side. Server coverage includes Windows 2000 Advanced Server, Red Hat Linux 6.0, Exchange Server 5.5, and Sendmail. Personal firewalls, like BlackICE Defender 2.1, get attention, too.