Kaspersky Lab Warns Not to Use the Internet or E-Mail without the Patch

18 Sep 2001
Virus News

A global epidemic of the network worm "Nimda" has been reported

Kaspersky Lab, an international data-security software developer, reports that on September 18th, an outbreak of the network worm "Nimda" was detected. We have received more than 500 reports from around the world regarding incidents of infection in connection with this malicious program.

"Nimda" ("Admin" backwards) poses a serious threat to both companies and individual users alike. The worm opens all disks installed on an infected computer for full access. In this way, anyone who wishes may delete, change, copy, or view any document on the infected computer. This could cause the disclosure, loss, and unauthorized changing of confidential information.

"Nimda" penetrates a computer in several different ways:

First of all, via e-mail: an infected e-mail in HTML format, containing several embedded objects enters a target computer. Upon viewing the e-mail, one of the objects automatically starts up unbeknownst to the user. In order to accomplish this, the worm exploits a breach in Internet Explorer security that was first detected in March of this year.

Second of all, while surfing infected Web sites: In place of the original Web site, a user is shown its modified version containing a malicious Java program, which downloads and starts the "Nimda" copy on a remote computer, using the aforementioned breach.

Thirdly, via the local network: the worm scans all accessible network resources, dropping thousands of its copies here. This is done with the idea that upon finding the file on a disk or server, a user will single-handedly infect his/her own computer.

In addition to penetrating workstations, "Nimda" also carries out an attack on Web servers running under Microsoft Internet Information Server (IIS). The method for infecting IIS servers is identical to "BlueCode." The malicious program gains access to the hard disk of a remote server, downloads its file here from a previously infected computer, and then starts it. In order to accomplish this, it exploits a breach in IIS called "Web Server Folder Traversal" as described in the corresponding Microsoft announcement.

"The reason for the heavy 'Nimda' outbreak is the non-standard means for penetrating a computer. Instead of the 'traditional' attached file, the worm takes advantage of a system-security breach. It is generally known that most users neglect the advice of installing the 'patch'; therefore, the level of infection resulting from 'Nimda' could surpass that of the recent infamous 'SirCam' worm," commented Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Lab.

In order to thwart "Nimda," it is necessary to download and install the latest Kaspersky Anti-Virus update. The corresponding update was released on September 18 at 4:30 p.m. GMT (11:30 a.m. New York time). Also, we urge the immediate installation of the Internet Explorer and IIS patches that block the aforementioned breaches. These patches not only repel "Nimda" attacks, but those of similar worms that could appear in the future.

"Without taking these protective measures, coupled with the level of the epidemic, we would recommend users either be extremely cautious or temporarily hold off using e-mail or the Internet altogether," summed up Eugene Kaspersky.

More detailed information about the "Nimda" worm can be found in the Kaspersky Virus Encyclopedia.