Interesting to note a few things here. First, NIPC is sharing information
with specific vendors. They are not witholding who reported the information
to NIPC to begin with. The vendor is then contacting them, using their
information, and sending it out to the customers without giving credit.
From: Greg Shipley (gshipley@neohapsis.com)
Ok, this is just funny. So I sent part of that mail message I
tossed to the list last night to "nipc.watch@fbi.gov." In that message I
mention:
==========================================================================
- Symantec has this worm at a removal level of "easy." If you think
formating your servers and re-installing the OS is easy (or if you have
tripwire running), then I guess this rating might be accurate. But if you
are like most of us in the field, once you realize how many files this
thing has torqued you are going to cringe. Which brings me to:
- This worm attaches itself to a ton of files .EXEs. .HTMs. .DOCs. - there
may be many more. So far, I've seen it hit targeted files as well as
random ones. Among the targeted ones, it appears to consistently nail
netmeeting's conf.exe, hyperterm, mediaplayer, wordpad, etc. It also hits
random files, as it has attached itself to a copy of "putty.exe" that I
set aside on a shared drive. It appends itself to these files so that it
can lurk, and (hopefully) be launched at a later date. All of these file
attachments could be random, I haven't performed analyses on enough
machines to tell, but the thing the masses can take away from this is that
this thing modifies files and data - it doesn't just deface sites, and
chew up bandwidth, like other worms. In short, it will cost more to
correct, and could really mess with people's data. NO ONE SEEMS TO BE
REPORTING ON THIS.
==========================================================================
Then this morning I received the following from a Symantec dude - I can
only imagine that he got this via NIPC:
==========================================================================
Date: Wed, 19 Sep 2001 09:20:14 -0700
From: Vincent Weafer (vweafer@symantec.com)
To: gshipley@neohapsis.com
Subject: Nimda thoughts and follow-up. (fwd)
Hi Greg,
Good catch, on the removal.. it is being changed to reflect the current
knowledge on the worm and how to remove it. Certainly not easy.
- Vincent
Symantec Security Response
==========================================================================
A few hours later, I receive the below message from the Symantec
PR machine. Thanks for the news flash guys. Sheeze.
-Greg
---------- Forwarded message ----------
Date: Wed, 19 Sep 2001 18:03:08 +0000
From: Sherri Walkenhorst
To: gshipley@neohapsis.com
Subject: SYMANTEC PROVIDES COMPREHENSIVE PROTECTION AGAINST W32.NIMDA.A@MM
Dear Greg,
Symantec Corporation, a world leader in Internet security, today announced
that new analysis of W32.Nimda.A@mm reveals that the worm contains an
additional destructive payload that will not only require detection, but
removal.
Please find below the complete press release. Please don^Òt hesitate to
contact me for further information.
Regards,
Sherri Walkenhorst
Connect Public Relations
(801) 373-7888
sherriw@connectpr.com
News Release
FOR IMMEDIATE RELEASE
CONTACT:
Yunsun Wee Sherri Walkenhorst
Symantec Corporation Connect Public Relations
(310) 449-7009 (801) 373-7888
ywee@symantec.com sherriw@connectpr.com
SYMANTEC PROVIDES COMPREHENSIVE PROTECTION AGAINST W32.NIMDA.A@MM
New Analysis of Computer Worm Indicates Additional Destructive Payload
CUPERTINO, Calif. ^Ö Sept. 19, 2001 ^Ö Symantec Corp. (Nasdaq: SYMC), a world
leader in Internet security, today announced that new analysis of
W32.Nimda.A@mm reveals that the worm contains an additional destructive
payload that will not only require detection, but removal. The new analysis
indicates that the worm is a file infector, infects .exe files resides in
memory.
W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to
spread itself. The worm sends itself out by e-mail, infects machines over
the network, and infects unpatched or already vulnerable Microsoft IIS Web
servers. The worm also has various side effects, such as increasing network
traffic while searching for machines to infect, which may cause network
bandwidth problems. W32.Nimda.A@mm will also attempt to create security
holes by creating a guest account with administrator privileges and create
open shares on the infected system.
Symantec currently provides an integrated detection and repair solution
against W32.Nimda.A@mm. In one step, users can download a solution that will
simultaneously detect the worm and repair damaged files. The new definitions
are available through Symantec^Òs LiveUpdate feature or from the Symantec Web
site www.securityresponse.symantec.com/avcenter/download.html. Symantec is
developing a separate removal tool to eradicate the worm from the PC memory.
^ÓUsing blended Internet security threats ^Ö the combination of viruses,
exploits, or vulnerabilities ^Ö to attack businesses and destroy assets,
continue to rise,^Ô said Vincent Weafer, senior director of Symantec Security
Response. ^ÓTo combat such a fast spreading threat, Symantec integrated its
solution for W32.Nimda.A@mm to detect and repair, allowing for quick clean
up with little downtime.^Ô
Symantec Security Response recommends that IT administrators implement the
following to stop the propagation of W32.Nimda.A@mm:
· Block e-mails containing a ^Óreadme.exe^Ô attachment.
· Update virus definitions and ensure that firewalls are correctly
configured.
· Download the latest security updates for Enterprise Security Manager and
NetRecon.
· Install the IIS Unicode Transversal security patch.
· Install the malformed MIME header execution security patch.
· Close network share drives.
Additionally, consumers can immediately protect themselves against the new
worm by implementing the following:
· Use Symantec^Òs LiveUpdate feature to obtain the latest virus definitions.
· Use the Windows Update feature located on the ^ÓStart^Ô menu on Window 95
and higher systems to download new security patches.
· Disable the ^ÓFile Download^Ô feature in Internet Explorer to prevent
compromise.
Both consumers and enterprises can be infected through a variety of methods.
· E-mail ^Ö One of the methods the worm uses to infect PCs though is e-mail.
The e-mail arrives with an attachment ^Ö readme.exe that is not always
visible and contains a randomly generated subject line and no body message.
The worm uses its own SMTP engine to e-mail itself out to all the addresses
it collects by searching the user^Òs incoming and outgoing e-mail boxes.
Internet Explorer users v5.01 or v5.5 - (IE 5 with the Service Pak 2 or
later installed or IE 6 are not affected) will receive a blank e-mail ^Ö no
subject line, no body and a hidden attachment. Just opening the e-mail can
infect users^Ò PCs. For the latest Microsoft security patch, visit
http://www.microsoft.com/windows/ie/download/critical/q290108/default.asp.
· Shared Drives ^Ö PC users with shared drives enabled are also at risk. The
worm searches for open network shares and will attempt to copy itself to
these systems and then execute. IT administrators should close all network
shared drives.
· Web sites ^ÖWhen users visit a compromised Web site, the server will run a
script attempting to download an Outlook file, which contains the
W32.Nimda.A@mm worm. The worm will create an open network share on the
infected machine allowing access to the system. W32.Nimda.A@mm specifically
targets versions of IIS servers, taking advantage of the known Universal Web
Traversal exploit (MS Security Bulletin MS00-078), which is similar to the
exploit used in the Code Red attack. Compromised servers will display a Web
page and attempt to download an Outlook file that contains the worm as an
attachment. IT Administrators should download the Microsoft security patch
for IIS 4.0 at
http://www.microsoft.com/downloads/Release.asp?ReleaseID=32061 and for IIS
v5.0 at http://www.microsoft.com/downloads/Release.asp?ReleaseID=32011.
Symantec provides additional protection against W32.Nimda.A@mm through the
following solutions:
· Enterprise Security Manager ^×Symantec's policy compliance and
vulnerability management system, helps manage security patch update
functions. New patch templates are available that detect the underlying
vulnerability on Windows NT 4.0 and Windows 2000 servers.
· NetProwler ^Ö Symantec's network-based intrusion detection tool, with
Security Update 8 installed, is capable of detecting attempts to attack IIS
4.0 and 5.0 servers through this vulnerability.
· NetRecon ^Ö Symantec^Òs network vulnerability assessment tool will be
updated to detect if this vulnerability exists on a system and if so will
provide recommendations on how to fix it.
· Symantec Enterprise Firewall (Raptor Firewall) ^Ö Symantec's application
inspection firewall, by default, blocks suspect outbound data traffic from
web servers, like IIS, when operating on the firewall's service network,
thereby stopping the propagation of this, as well as other types of attacks.
· Symantec Security Check ^Ö This service, www.symantec.com/securitycheck,
has been updated to scan if a system is vulnerable to this exploit.
· Norton Internet Security ^Ö Symantec^Òs integrated security and privacy
suite for consumers can be updated to ensure only trusted programs access
the Internet.
For detailed information about this threat, visit Symantec^Òs Web site at
www.symantec.com.
Symantec Security Response
Symantec Security Response provides thorough analysis of each component of
the Internet security threat and how the threats work together, while at the
same time providing recommendations on how to best protect against them.
Symantec Security Response: Research Centers
Through a global network of researchers and technicians working around the
clock, Symantec Security Response acts immediately, alerting customers,
creating and distributing fixes to the latest security threats and
vulnerabilities and providing global technical and emergency support ^Ö on
site or on the phone.
About Symantec
Symantec, a world leader in Internet security technology, provides a broad
range of content and network security software and appliance solutions to
individuals, enterprises and service providers. The company is a leading
provider of virus protection, firewall and virtual private network,
vulnerability management, intrusion detection, Internet content and e-mail
filtering, remote management technologies and security services to
enterprises and service providers around the world. Symantec^Òs Norton brand
of consumer security products is a leader in worldwide retail sales and
industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide
operations in 37 countries. For more information, please visit
www.symantec.com.
###
NOTE TO EDITORS: If you would like additional information on Symantec
Corporation and its products, please view the Symantec Press Center at
http://www.symantec.com/PressCenter/ on Symantec's Web site. All prices
noted are in US dollars and are valid only in the United States.
Symantec, the Symantec logo, AXENT, AXENT Technologies, and the AXENT logo
are trademarks or registered trademarks, in the United States and certain
other countries, of Symantec Corporation or its subsidiaries. Additional
company and product names may be trademarks or registered trademarks of the
individual companies and are respectfully acknowledged.
FORWARD LOOKING STATEMENT: This press release contains forward-looking
statements that involve known and unknown risks, uncertainties and other
factors that may cause our actual results, levels of activity, performance
or achievements to differ materially from results expressed or implied by
this press release. Such risk factors include, among others: the risks that
current global adverse economic conditions and reduced spending will
continue or worsen; currency exchange fluctuations will adversely affect our
results; the continuing integration of the Symantec and AXENT will not be
successful; the difficulty of developing and marketing products that compete
effectively with others and other economic, business, competitive and/or
regulatory factors affecting Symantec's business generally. Actual results
may differ materially from those contained in the forward-looking statements
in this press release. Additional information concerning these and other
risk factors is contained in the Risk Factors sections of the Company's
previously filed Form 10-K for the year ending March 30, 2001.
