Note: To protect the privacy of our members, e-mail addresses have been removed from the archived messages. As a result, some links may be broken.

Find Lesson Plans on getty.edu! GettyGames

New virus alert

---------

From: Maggie White (mwhiteaz_at_TeacherArtExchange)
Date: Tue Sep 18 2001 - 17:27:25 PDT


Hi, all,

The following came via a reputable online newsletter I subscribe to. As
usual, don't open attachments from anyone, but beware of the warning
about possible infected Web sites.

Maggie
=================================================================

This is a free service of http://www.ComputerProblems.com - We share
your PAIN!

If you find this information helpful, pass it on to others...

If you would like to be added or removed from this list, go to:
http://www.computerproblems.com/quikreg.cfm

VIRUS ALERT!!!
                                      W32.Nimda.A@mm
                                Discovered on: September 18, 2001

           According to SARC, the W32.Nimda.A@mm is a new mass-mailing
worm that utilizes
           multiple methods to spread itself. The worm sends itself out
by email, searches for open
           network shares, and attempts to copy itself to un-patched
Microsoft IIS web servers.
           The worm does this using the Unicode Web Traversal exploit.
A patch and information
           regarding this exploit can be found at:
          
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.
           Microsoft has also released a tool to assist in patching
systems at:
          
http://www.microsoft.com/technet/itsolutions/security/tools/hfnetchk.asp

           Users visiting compromised Web servers will be prompted to
download a "readme.exe" file,
                        which contains the worm as an attachment. (See
Below)

           If sent via e-mail, the attachment name varies and may use
the icon for an Internet
           Explorer HTML document. The email messages created by the
worm specify a
           content-type of audio/x-wav with an executable attachment
type. Thus when a
           message is accessed, the attachment can be executed without
the user's knowledge.

           The worm will also create an open network share on the
infected computer, allowing
           access to the system via the Internet, which can thoroughly
compromise corporate
           networks.

           Once infected, your system is used to seek out others to
infect over the web. As this
           creates a lot of port scanning, this can cause a network
traffic jam.

           It copies itself to the WINDOWS SYSTEM directory as LOAD.EXE
and creates a
           SYSTEM.INI entry to load itself at startup:
           Shell=explorer.exe load.exe -dontrunold

           McAfee Anti-virus has posted the following removal
instructions for their
           customers. THIS WILL ONLY WORK IF YOU ARE RUNNING A CURRENT
VERSION OF
           THE MCAFEE ANTI-VIRUS PROGRAM!

           Removal Instructions:

           Detection and removal is in the 4159 DAT files posted today.
This includes detection
           and removal for infected .ASP, .DLL, .EML, .EXE, .HTM, .HTML,
and .NWS files (with ALL
           files being scanned).

           Note that when repairing infected .ASP, .HTM, and .HTML
files, they are properly
           truncated to remove the infectious javascript call. The
dropped copies of the worm
           are deleted.

           Additionally, customers may use this provided Extra Dats for
detection and removal.
           Extra.Dat (Ver 2)
           Nimda2.Exe (Ver 2)

---