Fwd: eTrust EZ Virus Alert for Win32.Nimda Worm

[Guest guest]

The free fix download is at

 

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bull\

etin/MS01-020.asp

 

 

--- support wrote:

> Reply-to: support

> support

> eTrust EZ Virus Alert for Win32.Nimda Worm

> socheid

>

> =============================================

> eTrust EZ Virus Alert for Win32.Nimda Worm

> =============================================

>

> Win32.Nimda worm (Also known as W32/Nimda@MM)

> Nimda.A is an Internet worm spreading via a number of different methods

> and exploiting several known vulnerabilities in Internet Explorer and

> IIS systems. It also works as a file virus infecting Win32 Portable

> Executable programs as well as files with extensions: html, htm, asp.

> This worm may enter a system in the following ways:

> via an HTML e-mail with a specifically constructed MIME header;

> by visiting a Web site hosted on an infected system;

> via open network shares;

> via unpatched IIS systems (both 4.0 and 5.0).

> When a user views an HTML e-mail carrying the worm or visits an infected

> Web site, Internet Explorer may launch the attached program executing

> the Nimda.A code (from the program: readme.exe). This is due to the

> " Incorrect MIME Header " vulnerability in Microsoft Internet Explorer

> 5.01 and 5.5. For a detailed description of this security hole and links

> to the appropriate patches, please visit:

>

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bull\

etin/MS01-020.asp

>

> The worm may also exploit the following HTTP security loopholes in

> systems running Microsoft IIS:

> Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability

> Microsoft IIS/PWS Escaped Characters Decoding Command Execution

> Vulnerability

> Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability

>

> The worm finds vulnerable Internet Servers via randomly selected IP

> addresses. The address generation and scanning is performed by the

> process named mmc.exe (the file mmc.exe is overwritten by the worm with

> its own copy). Users of affected Win NT/2000 systems may experience a

> significant deterioration of their system performance when the mmc.exe

> process is running. Additionally the worm copies itself as Admin.dll to

> the root directories of all accessible drives (the worm marks Admin.dll

> as a true DLL).

> Once the worm gets access to a victim machine's files, it searches all

> directories and infects htm, asp and html files by adding a one line

> JavaScript code. In every directory with successfully infected files,

> the worm drops its own code in the MIME format as readme.eml or

> readme.nws. The worm is executed from within these MIME files when an

> infected htm* or asp file is opened.

> The worm infects Win32 PE programs (except Winzip32.exe) by prepending

> its code and modifying its resources so that the infected programs use

> the same icons as the original programs.

> On affected Win9x systems, in order to run on the next reboot, the worm

> copies itself as load.exe into the Windows System directory and modifies

> the system.ini file:

> Shell=explorer.exe load.exe -dontrunold

> Nimda.A may also copy itself under the name used by one of the

> legitimate Microsoft libraries; riched20.dll.

> The worm also modifies wininit.ini in order to delete the temp files it

> uses on the next reboot.

> Note: In order to avoid infection by browsing infected web pages Active

> Scripting can be disabled in Internet Explorer.

>

> Users with eTrust EZ Antivirus signature files 1505

> and up are protected against this worm.

>

>

> A few simple rules to remember:

> ==========================

> - Prevent viruses from spreading by updating your antivirus

> software on a regular basis.

> - Do not open attachments received from somebody

> you don’t know.

> - Be careful when receiving attachments from your friends. In most

> cases they are not aware of infection and will not know if the

> virus email was sent from their own PCs.

>

>

> =============================================

>

> Additional information on viruses, worms, and

> Trojan horses can be found at the Computer

> Associates Virus Information Center:

> http://www.ca.com/virusinfo/

>

> For more detailed virus information and

> specialized removal instructions, visit:

> http://www.ca.com/virusinfo/virusalert.htm

>

> Carnegie Mellon Software Engineering Institute

> (CERT® Coordination Center):

> http://www.cert.org/advisories/

>

> =============================================

>

> You can from this news letter or by going to

> http://www.my-etrust.com/maintenance/optin/

>

> =============================================

>

> Feedback? Comments? Suggestions?

> Send webmaster. All submissions

> become the property of the publisher and may or may not be

> reprinted.

>

> NOTE: This address should be used only for feedback on

> this newsletter. Requests for technical support should be

> submitted through normal channels.

>

 

 

=====

Free antivirus software at www.grisoft.com

 

Free firewall software at www.zonealarm.com

 

Check against email hoaxes at www.stiller.com/hoaxes.htm

 

or www.scambusters.org/legends.html

 

 

Terrorist Attacks on U.S. - How can you help?

Donate cash, emergency relief information

http://dailynews./fc/US/Emergency_Information/