What do you get when you cross Anna Kournikova with Code Red? No, it isn't a joke, it's a new worm called "Nimda" taking the Internet by storm, featuring a hybrid client/server payload. SearchSecurity discussed this hybrid virus with Jim Reavis today to try to gain some understanding of what it is and how you can deal with it in your organization.Why do you call this virus a hybrid?
Reavis: The virus is spreading both through the now traditional method of reading a local client's address book, as well as through infected web servers. The client payload of the virus, readme.exe actually tries to attack Microsoft IIS Web Servers with the Web Server Folder Traversal Vulnerability and make them carriers of the virus. The IIS Web Server version of the virus is called readme.eml.Why is it spreading so quickly?
Reavis: The virus is sent via an email within an HTML page that will force the attachment to run - simply by opening or even previewing the message! This virus will spread in two main ways:
1. Emailing itself to recipients listed in an Outlook address book.
2. By visiting an infected IIS web server with Internet Explorer. This is a new and quite insidious way to propagate a virus.
How can companies protect themselves?
Reavis: Antivirus vendors are hard at work updating their signature files to detect and clean systems with NIMDA. If you are using Outlook, it is recommended
Microsoft also needs to release a patch for Internet Explorer to prevent web browsers from becoming infected. Until then, be VERY, VERY careful about your surfing habits. Do not download any file named readme.eml.How can we protect our network?
Reavis: Depending upon your system configuration and your level of skill, you may be able to configure your Internet Mail gateway to block file attachments named readme.exe. When available, update the antivirus software for your servers and mail gateways as well.
IIS Web Servers still containing the "Web Server Folder Traversal" Vulnerability should be patched. Here's the information.Is this virus connected to the recent terrorist activity?
Reavis: Some experts are trying to make that connection based on the fact that it began circulating a week -- almost to the hour -- after the WTC attack. However this is speculation at this point, and could be a coincidence.More on Jim Reavis.
Jim has worked in the high tech and the information security industry for 14 years in several capacities. He has leveraged his security industry knowledge as a writer, speaker, software publisher, IS manager and information technology consultant. Jim is best known as the founder of SecurityPortal and is currently the Chief Marketing Officer for VIGILANTe, a developer of security testing technology.