Nimba was Re: Net slow-down?

James Lee Bell plug-discuss@lists.PLUG.phoenix.az.us
Wed, 19 Sep 2001 00:37:40 -0700 

Whoever wrote this Nimba thing is an evil bastard. This thing has
***3*** infection modes.

1) web ala code/red/blue. Tries the 16 different holes, some as old as
last October.
2) open email attachments (or idiot config) in outlook/outlook express,
your machine's infected, dumps emails with itself to your address book,
then goes to scanning for vulnerable web servers ala number (1).
3) infected web servers get a script tag added to every *.html/*.htm it
can find that calls the worm, embedded in a *.eml as a wav file mime
type, and puts it in a webbug sized window located at pixel 6000,6000.
Since an internet exploder browser sees it as wav mime type, it
automatically opens it and voila your machine has joined the chorus.

I work at a Honeywell site in north phoenix, and another site got
infected with this thing within an hour after it was released
(supposedly released at same time +7 days of first plane crashing into
WTC). It played havoc with our corporate wan until we got the AT&T guy
to throw an inbound ACL on outbound corporate web traffic from the major
infected site. I've got a drop any web traffic (except to known patched
servers) acl on my own corp link, and it saw something close to 80K web
scans this morning. Our router and all the corp routers that the AT&T
guy checked would routinely peg at 98-99% utilization off and on for a
couple hours until we got this thing tracked down.

Like I said, even if you're not a religious person, this thing is evil.

robert jorgenson wrote:
> 
> I saw a thing on TV about this today...the reason for the net slow-down is because it is transfering so much data, what happenes is it
> searches for 16 different holes in IE 5.0-5.5(go to microsoft and get patches!!!(if you use windows)) and thier IIS server. It will go
> through all your e-mail you have not your adress book and send out an e-mail that will start readme.exe just buy reading the e-mail, not
> even opening an attachement. then it takes over your internet connection searching for people without the patches. Although this is just
> what i heard so some of it might not be correct but i am pretty sure it is.