Networking

BT says that two of its Exchanges may have been hit by the Nimda virus, cutting off U.K.
broadband users.

Users of BT's ADSL broadband service suffered severe connectivity problems on Wednesday when
equipment at two exchanges was hit by what the company believes was the Nimda worm.

A recorded message on the company's helpline told callers that it was experiencing problems, with users
having trouble connecting to the Internet. The message said this could be "due to the recent outbreak of the
Nimda virus."

Editor's Note: Perhaps the scariest aspect of this particular worm is its reported ability to
infect users who simply view a webpage with Microsoft's Internet Explorer on an infected
server.

SANS Institute release:

Nimda Worm
Version 0.1 - September 18, 2001
New IIS "Concept Virus" Worm: NIMDA Propagating Quickly

UPDATE SUMMARY: A new worm that has been named "Nimda" is propagating with unprecedented speed
across the Internet. The worm appears to have at least four distinct propagation mechanisms.

I just spent the whole morning watching my intrusion detection alerts and tracking the progress of Nimda ('admin' spelt backwards). If you haven't been tracking the security lists, and I am sure most admins in Malaysia are not, then here's a heads up. Nimda is a new worm/virus which has currently 4 known attack vectors. It spreads by using the same IIS vulnerability which Code Red made use of, it spreads by email and it spreads when an Internet Explorer browser stops by an infected webserver.

If Attorney General Ashcroft hadn't talked about this Windows worm on national TV, and
received at least ten in my mailbox already, this would probably otherwise belong on an NT
security web site, but certainly many of use have heterogeneous networks. Nimbda is
Admin backwards... "The worm, known as "W32.Nimda," had affected "thousands,
possibly tens of thousands" of targets by midday Tuesday, according to Vincent Gullotto,
head virus fighter at McAfee.com, a software company.

Security experts have been expecting a slew of hacker activity once the U.S. military retaliates for last week's terrorism, even though cyber attacks weren't launched immediately after the disaster, ZdNet eWeek reports.

Well the S.E.A (South East Asian) Games 2001 came to a close yesterday evening, with Malaysia topping the table with a total of 111 gold medals. However, it appears that the Thais (who came in second) are a tad bit pissed about not topping the table as they usually do... Early this morning I got word from Sniper that http://www.malaysiaevents.com was defaced with the following, somewhat crude message:

The sqlqhit.asp sample file is used for performing web-based SQL queries.

Malicious users could send specifically crafted HTTP request to an Internet Information
Services server running Index Server to reveal path information, file attributes, and possibly
some lines of the file contents.

The sqlqhit.asp file is located in the inetpubiissamplesISSamples folder and is installed by
default.

Solution: Currently no vendor-supplied patch available.

Details:

Counterpane Password Safe is a freely available password storage program designed to
securely store usernames and passwords, assessable by one master password, or
"combination" to the safe.

A problem in Password Safe makes it possible for local users to gain access to clear text
usernames, and potentially passwords. When the program option to clear passwords from
the clipboard is enabled, Windows will copy the contents of the clipboard to a buffer prior
to minimizing the program.

Domain name registrar NetNames pulled down all the 7,000-plus sites it represents after a majority were
hacked today (Friday).

Clients, who include musician Paul Weller, nightclub Stringfellows and shoe designer Jimmy Choo, saw
their sites temporarily go down following the attack by a hacker called Fluffi Bunni.

Microsoft Outlook Express 6 contains a vulnerability which allows an email message of
content-type 'text/plain' to execute specifically crafted scripting components.

It is important to note that Outlook Express 6 does not allow any scripting to be executed
by default. This security feature must be turned off in order to exploit this vulnerability.

Solution:A workaround is to disable scripting in Outlook Express.