Here we go again.
Another worm outbreak is wrecking havoc on servers and PCs across the globe. W32/Nimda (“admin” spelled backwards), was first reported on Tuesday. It infects systems running Microsoft Windows 95, 98, ME, NT, 2000 and IIS servers with known vulnerabilities.
Gus Malezis, general manager for Network Associates Inc., says this is an incredibly widespread outbreak. “We’re seeing it in government, we’re certainly seeing in enterprise organizations, we’re also seeing it in small- to medium-size ISPs,” he says.
The New Brunswick government was affected, according to a spokesperson, and ITBusiness.ca was unable to load the provincial Web site Wednesday afternoon. The Toronto office of communications company Fleishman-Hillard Inc. also felt the affects, says Peter Janecek, its senior vice-president and partner, advanced technology group. He says it didn’t have access to the Web on Wednesday as its firewall has shut down as a precautionary move and had a few minor problems with e-mail. He adds he expects things to be back to normal Thursday morning.
Like Code Red, Nimda propagates itself through e-mail. Once a computer is infected, it sends itself as an attachment (most commonly as a file named readme.exe) to recipients in the user’s address book. Microsoft Outlook users who haven’t installed a patch released in March don’t need to open the attachment to set the worm loose, opening the infected mail is enough, says Michael Murphy, Symantec Corp.’s general manager for Canada, buts adds Lotus Notes and Eudora users must open the file.
This isn’t the only trick in Nimda’s bag.
“It propagates using Microsoft networking shares, so in other words if you share a folder or part of your hard disc drive it will jump around using that. The last thing, of course, is it propagates just simply by you viewing an infected Web page (the Java option on your browser must be enabled),” Malezis says.
The good news is Nimda isn’t carrying a destructive payload, which isn’t to say it poses no threat. Malezis says by sharing parts of your hard drive without your consent it opens up the potential for someone to access, steal or destroy sensitive information.
While virus and worm writers will most likely always be one step ahead, a question lingers: Why do these attacks spread so quickly and widely? Malezis says part of the problem is people fail to update and patch their systems long after a remedy has been made available.
“A lot of them are not smart enough to figure out how to break into IIS,” Malezis says. “Hackers look to published vulnerabilities counting on people not having implemented the patch.”
Murphy says part of the problem is over-worked network administrators. “They can’t keep on top of all the alerts, all the bulletins and all the threats, and they really need help from outside companies that have the expertise,” he says.
To prevent further infestation, Murphy has a number of recommends. These include replacing the HTML files on corporate or e-commerce Web sites from a secure backup, preventing the flow of e-mail with the readme.exe attachments and updating anti-virus products with the latest definitions.
Patches are available for both the IIS vulnerability and Web browsers at http://www.microsoft.com/security.