Scary Hybrid E-Mail Worm Loose

posted onSeptember 19, 2001
by hitbsecnews

Source: Wired
A new e-mail worm that appears to be a retooled combination of several other successful worms -- and which an Internet security firm says was first released almost to the exact minute of the one-week anniversary of the World Trade Center attacks -- is spreading rapidly across the Internet.

This worm, named W32/Nimda.A-mm, is dangerously different than virtually all e-mail borne viruses: It can infect a computer when a user simply clicks on the subject line in an attempt to open the innocent-looking e-mail, or visits a Web page housed on an infected server.

The e-mails arrive from addresses both known and unknown to the recipient. No action beyond opening the e-mail is required; therefore, the virus is spreading rapidly.

The virus, according to preliminary analysis, combines the worst features of the two worms that have crawled across the Internet since June.

"The rate of growth and spread is exceedingly rapid -- significantly faster than any worm to date and significantly faster than any variant of Code Red," read an alert issued by TruSecure.

TruSecure's release also said, "We cannot discount the coincidence of the date and time of release, exactly one week to (probably to the minute) as the World Trade Center attack."

W32/Nimda.A-mm sends itself by e-mail, as SirCam does, and also scans for and infects web servers like Code Red does.

At least with Code Red and SirCam, computer users had a fighting chance.

Servers could be patched to protect against Code Red, and unclicked e-mailed attachments couldn't spread SirCam.

But most e-mails containing the W32/Nimda.A-mm worm do not have a visible attachment. When the subject of the email is clicked so that the recipient can read the e-mail, the worm is immediately activated and attempts to run a programming script.

Infected Web servers will also attempt to spread the virus to anyone who visits websites that are housed on that server by pushing a "readme.exe" or "readme.eml" file to computers that visit the infected sites. The virus is activated automatically upon transmission.

W32/Nimda.A-mm appears to be exploiting a hole found last year by bug hunter George Guninski. The hole allows malicious hackers to force Microsoft's Web browser and e-mail programs to automatically open small programming scripts embedded in Web pages or e-mail. These scripts can contain viruses or worms.

Guninski said the only workaround is to "Disable Active Scripting" in the Tools/Options/Security menu, which can be accessed from within Outlook or Explorer.

Steven Sundermeier, vice president of Central Command said that initial analysis indicates that the worm is attacking servers via the "Unicode Web Traversal" exploit, in the same manner as a Code Red variant, CodeBlue. Information and a patch for this exploit are located on < a href="http://www.microsoft.com/technet/security/bulletin/ms00-078.asp">Microsoft's website.

The worm seems to be infecting only servers that use Microsoft's Internet Information Server software. But the worm's constant scanning for other vulnerable computers may cause slowdowns across the Internet.

Once the virus is active, it attempts to infect all compressed files, such as ZIP archives on a computer's hard drive, as the IRC worm called "readme.exe" does. It then e-mails copies of itself out to selected addresses in the infected computer's Outlook e-mail address book and Web cache folders, and begins scanning the Internet for Web servers to infect.

"We've caught 400 copies in the past hour," said Alex Shipp, at MessageLabs, an antiviral screening company, at noon EDT.

Other antiviral companies report a similar flood, and are analyzing the worm. They hope to post remedies on their sites on Tuesday.

The virus appears to be using the names of archived files on a computer hard drive as the subjects of the e-mails it sends out.

E-mails with long subject names such as "desktopsamplesdesktopsamples" are a particular indication of the virus, but some copies are arriving with short names such as "xboot" and "sample."

When clicked, depending on a particular system's configuration, a dialog box may open asking if "readme.exe" should be opened or saved to file. Regardless of the chosen option, the virus has been activated.

Even deleting the e-mails that contain the virus is difficult. Clicking on them to select them for deletion activates the virus.

Currently, the only way to avoid the virus is to disable scripting and refrain from opening any e-mail that is unexpected, or whose subject line does not relate to an on-going conversation.

Source

Tags

Audio/Video

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs