19 Sep 2001
Nimda virus spreading across internet - Sophos warns against double pronged attack
Sophos, a world leader in corporate anti-virus protection, is
today warning users to be on their guard against a destructive new
virus called W32/Nimda-A. Sophos has
already received hundreds of reports of the virus in the wild.
Using a vulnerability in Microsoft's IIS web server software,
the Nimda virus corrupts websites with malicious code. Without
their knowledge, innocent computer users can trigger the virus by
simply browsing a website. The virus then forwards itself by email
to all addresses found on the user's computer. Infected e-mails
carry the attachment README.EXE and on some systems will execute
automatically without the user having to double-click on the
attachment.
"This virus is serious - you can get stung by browsing the
internet or by opening an infected email," said Graham Cluley,
senior technology consultant, Sophos Anti-Virus. "You can think of
Nimda as combining the mechanisms of three existing viruses:
CodeRed-II
(which mounts an attack against unpatched web servers), Kakworm (which exploits
unpatched mailers/browsers to run encoded files automatically), and
Sircam (sends an
email attachment and assumes that at least some users will click on
it)."
Users with web servers compromised by Nimda are advised to
replace all modified files, and to carry out a full security audit.
One of the exploits by which Nimda attacks servers relies on holes
left behind by a previous Troj/CodeRed-II attack -
and Nimda itself tries to open additional security holes, such as
giving administrative powers to the "guest" user, which is supposed
to be a highly restricted account.
Sophos researchers have developed a standalone utility which can
detect and disinfect the W32/Nimda-A virus.
About Sophos
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.