Dunno if this has been mentioed recently - but just in case it hasn't, there's a new nasty little virus doing the rounds. Here's a description. As ever, never open an attachment without checking with a virus checker - and make sure your virus definition file is up-to-date as well!

INFORMATION ON THE W32.Nimda WORM This is the preliminary information known at this time.

There is a new mass-mailing worm that utilizes email to propagate itself. The threat arrives as readme.exe in an email.

Delete any email you receive that contains this email attachment

In addition, the worm sends out probes to IIS servers attempting to spread by using the Unicode Web Traversal exploit similar to W32.BlueCode.Worm. Compromised servers may display a webpage prompting a visitor to download an Outlook file which contains the worm as an attachment.

Also, the worm will create an open network share allowing access to the system. The worm will also attempt to spread via open network shares.

When executed, the worm will hook the system by replacing RICHED20.DLL a legitimate Windows DLL and modifying the system.ini file as:

Shell= explorer.exe load.exe -dontrunold

The worm will copy itself to:

%Windows System Directory%\load.exe

and in the Windows Temporary directory as temporary files named MEP*.TMP.EXE.

The worm uses MAPI calls to read email in ones inbox to find new email addresses. These MAPI functions are supported by Outlook (Express). The worm uses its own SMTP engine to send itself as an attachment with no body and random subject lines. When received, the readme.exe poses as an audio wav file.

The worm attempts to exploit unpatched IIS servers. The worm uses an old Unicode Web Traversal Exploit. Information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp By using this exploit, the worm copies itself to the web server as ADMIN.DLL. This file is executed remotely and is the worm itself causing the web server to be infected.

The worm searches for HTM, HTML, and ASP files to modify. These files are modified such that a MIME encoded copy of the worm is downloaded by a visiting browser. This file is an Outlook Express email file with the worm as an attachment inside.

In addition, the worm searches for open network shares. The worm iterates through files on the remote system. The worm copies itself over to these systems to be executed.

The worm also creates an open network share on the infected system allowing other system remote access.

Finally, the worm copies over additional legitimate files on the infected system, such as MMC.EXE.

-- Anonymous, September 19, 2001

Answers

Screach, did you notice the note we got round was from our "Director of Data Security...etc.." ... Billy Whitehurst!

-- Anonymous, September 19, 2001

I check for updates on McAfee every morning, and if there are any I download them and `scan all files`. I did this this morning, and came up with one file infected with this virus. My virus scan does not seem to want to delete this file so I have been checking out the situation with McAfee.

Best guess as to how it came in is via a `chain` e mail without attachments, but which played music automatically. This e mail arrived late last night. So in other words, I assume they are saying it is in the body of the e mail. Again, I NEVER open attachments now - no matter who the e mail is from.

Until I am 100% sure that this virus has been deleted - please delete any e mails immediately from me - I am NOT sending any to-day, and did not send any yesterday.

Also, does that mean it is dangerous to set up your e mail programme to check for new mail periodically? As the top e mail (which is always the one highlighted) opens automatically after a second or two, that surely will now be a bit of a risk.

I`ll let you know when I am sure that my virus removal has worked.

-- Anonymous, September 19, 2001

I check for updates on McAfee every morning, and if there are any I download them and `scan all files`. I did this this morning, and came up with one file infected with this virus. My virus scan does not seem to want to delete this file so I have been checking out the situation with McAfee.

That's my Gal!!!

-- Anonymous, September 19, 2001

Gal if you e-mail client is Outlook or Outlook express and you have a preview pane (shows the first few lines of the mail) or this thing of yours that opens mails automatically then you're in deep shit babe...

A preview pane is just the same as opening it yourself...

-- Anonymous, September 19, 2001

Gav - it`s Outlook Express, but maybe I didn`t explain it properly. In my own non-techie terms: I open Outlook Express, it downloads my mail. The top box of outlook express lists the e mails, the bottom half the contents of the e mail which is highlighted. Just say I received five e mails - the last one in is always highlighted. In the folders column, next to `in box` it shows (5), but after two seconds it will show (4) because it automatically opens that first e mail.

Am I being really stupid here? It has done it always. Can I disable this function? It doesn`t open the attachments - it is just basically assuming that the e mail has been read.

Screacher - I can`t decide whether or not you are taking the mickey. McAfee is set up to automatically check for updates at 8.30 every morning, and if there are any, I download them, then scan just to be on the safe side.

After I had finished the downloads, I re-booted the computer, as it tells you to do, and as soon as I connected up to my e mail and the internet again, I got the wriggling bug message with the option `clean` or `delete`. I tried the `clean` button first and it said cannot clean recommend delete - which I did. I then scanned all files anyway just in case, and there is one which I can`t get rid of yet.

I know I am not very techie, but I assumed I was doing all the right things.

-- Anonymous, September 19, 2001

Gal what you've described is a preview pane, you've GOT to turn that off because you're basically opening EVERY mail you get in, this shouldn't open any attachments but i'm certain one of these mail worms is using a preview pane vbs bug to propagate itself...I could be wrong but I doubt it...

-- Anonymous, September 19, 2001

Thanks Gav. I`m sure that I must be able to find the necessary `option` to do that. I`m out with Mum this afternoon, it`s her birthday. Tomorrow I`m taking her to Buckingham Palace. I`ll have a quick look at my computer tonight, though.

Screacher, sorry if I sounded piqued - I`m not, just p@ssed off with this virus malarky.

Speak to you all later.

-- Anonymous, September 19, 2001

Galaxy go to View" "Options" then cancel the preview button by clicking on it.

-- Anonymous, September 19, 2001

Hit our place yesterday at 3pm, nasty little thing hit about 40 other IIS Servers in about 2 minutes. Horrible (other than giving me an excuse to work from home today)

-- Anonymous, September 19, 2001

My Outlook Express (v5) path is:

View - Layout - uncheck 'Show preview pane' - Apply - OK

-- Anonymous, September 19, 2001

For non hotmail e-mail I've regressed to using elm under Unix and am now using the Vi editor - (and I am growing a beard and taking to wearing socks with my sandals - my armpits have also taken a turn for the worse). It works - no bliddy viroi for me.

-- Anonymous, September 19, 2001

Here's a tad bit more info I just got from my web hosting company. If this is nothing to do with the terrorists, then someone's got a sick sense of humour. :-(

From: support@5dollarhosting.com [mailto:support@5dollarhosting.com] Sent: Tuesday, September 18, 2001 5:01 PM To: support@5dollarhosting.com Subject: Network Issues Tues 9/18/01

Dear 5DollarHosting Clients,

We are currently working on a block for the new worm/virus, called W32/Nimda.A-mm, that was released this morning. This worm is creating large amounts of traffic on the internet as well as our network. You may have noticed that some of your sites are loading slower than usual, or even timing out entirely. We anticipate having a block up by this evening at latest. This will help alleviate the traffic slowdown, but the internet at large is suffering as a result of this massive outbreak.

Please note that this virus will not affect any of the files on our servers, as it exploits vulnerabilities in Microsoft-based web servers. We run Red Hat Linux on all our machines. This worm is spread through Outlook - and you don't have to do anything more than click the message to be infected! Please exercise caution when opening emails, and visit your antivirus provider's web site to get the latest protection. For more information about this virus you can visit http://www.wired.com/news/technology/0,1282,46944,00.html or http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html.

NOTE: this worm was released almost exactly at 8:45 AM Eastern Time on the 1 week anniversary of the Trade Center attack. It is definitely malicious, and we can only hope it is not related to the events of last week.

-- Anonymous, September 19, 2001

Finally managed to get McAfee Virus Scan to delete the one file containing this virus. Unfortunately I can`t reaccess McAfee to scan again to make sure it has gone. So until I`ve done that, please be aware that I am not sending any e mails.

I guess McAfee must have gone into an overload situation - in view of Ciara`s posting, I guess that`s understandable.

Thanks for the advice, one and all. I have now clicked off the preview option - sometimes I frighten myself with my lack of knowledge.

-- Anonymous, September 19, 2001

Don't be too hard on yourself, Galaxy. Part of the blame has to lie with Micro$haft for putting out software that's ridiculously easy to exploit.

-- Anonymous, September 19, 2001

To tell you the truth Ciara, when it comes to computers I always think that it`s somehow something I have done wrong because I don`t know enough about the whole thing. As whole organizations have fallen foul of this virus, I think I`m safe to assume that I haven`t singlehandedly brought the entire world wide web to its knees by not knowing about enough about outlook express!(;o)

-- Anonymous, September 19, 2001

LOL. I wouldn't have know it was possible to turn off that annoying preview screen if it weren't for this thread. They use Outlook where I'm working right now, but I don't usually even open it up until someone says they sent me an email, cause the whole program just annoys me. ;-)

-- Anonymous, September 19, 2001

Can, I suggest that the easiest thing to do especially as I dont like Microsoft!! is to download Netscape Communicator and use their email system which does not have the preview pane (pain!)

-- Anonymous, September 19, 2001

And here was me thinking I was the last remaining netscape user on the plannet.

-- Anonymous, September 21, 2001