Tuesday, September 18, 2001

New Worm Spreading -- 11:31 am CST, Update by A.T. Hun

Slashdot is alerting people about a new worm spreading around. It appears to be a variant/mutation/update of CodeRed. Among other things, it attaches a file called "readme.eml" to every page the infected web server serves. Thanks to some problem with Internet Explorer, the readme.eml file is automatically executed on clients. This is going to be a mess.

UPDATE! I just talked with Crawl at EZ-Net and he confirmed that their servers have been attacked by this worm but not compromised. He reported around 500 attempts since around 9:00 A.M. That's the other sickening thing about this worm: it appears that it may have been set to "go off" at 8:42 this morning, exactly a week after the first attack on the World Trade Center.

UPDATE #2! This worm has a name: Nimda. Check out TruSecure for more information. According to them, it is NOT a Code Red variant, although the means of attack it uses are similar. It only affects IIS servers. It tries several different exploits, but you should be OK if your box is patched up-to-date.

This worm can also spread by opening an email attachment called readme.exe which is sent with a WAV file mime type. DO NOT RUN IT! If you receive email with that attachment delete it immediately.

News for 09/18/2001

The Haus is powered by:

All original information on this website is copyright © TheHaus.Net, 1999-2005. The use of original images, text, and/or code from this website without expressed written consent is prohibited. The authors of this site cannot be held responsible for any damage, real or imagined, which comes from the use of information presented on this site. All trademarks used are the properties of their respective owners. This site is not to be used as a floatation device (but if you try, I want a video tape of it).