CUPERTINO, Calif. - Sept. 19, 2001 - Symantec Corp. (Nasdaq: SYMC), a world leader in Internet security, today announced that new analysis of W32.Nimda.A@mm reveals that the worm contains an additional destructive payload that will not only require detection, but removal. The new analysis indicates that the worm is a file infector, infects .exe files resides in memory.
W32.Nimda.A@mm is a mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by e-mail, infects machines over the network, and infects unpatched or already vulnerable Microsoft IIS Web servers. The worm also has various side effects, such as increasing network traffic while searching for machines to infect, which may cause network bandwidth problems. W32.Nimda.A@mm will also attempt to create security holes by creating a guest account with administrator privileges and create open shares on the infected system.
Symantec currently provides an integrated detection and repair solution against W32.Nimda.A@mm. In one step, users can download a solution that will simultaneously detect the worm and repair damaged files. The new definitions are available through Symantec's LiveUpdate feature or from the Symantec Web site securityresponse.symantec.com/avcenter/download.html. Symantec is developing a separate removal tool to eradicate the worm from the PC memory.
"Using blended Internet security threats the combination of viruses, exploits, or vulnerabilities to attack businesses and destroy assets, continue to rise," said Vincent Weafer, senior director of Symantec Security Response. "To combat such a fast spreading threat, Symantec integrated its solution for W32.Nimda.A@mm to detect and repair, allowing for quick clean up with little downtime."
Symantec Security Response recommends that IT administrators implement the following to stop the propagation of W32.Nimda.A@mm:
- Block e-mails containing a "readme.exe" attachment.
- Update virus definitions and ensure that firewalls are correctly configured.
- Download the latest security updates for Enterprise Security Manager and NetRecon.
- Install the IIS Unicode Transversal security patch.
- Install the malformed MIME header execution security patch.
- Close network share drives.
Additionally, consumers can immediately protect themselves against the new worm by implementing the following:
- Use Symantec's LiveUpdate feature to obtain the latest virus definitions.
- Use the Windows Update feature located on the "Start" menu on Window 95 and higher systems to download new security patches.
- Disable the "File Download" feature in Internet Explorer to prevent compromise.
Both consumers and enterprises can be infected through a variety of methods.
- E-mail One of the methods the worm uses to infect PCs though is e-mail. The e-mail arrives with an attachment readme.exe that is not always visible and contains a randomly generated subject line and no body message. The worm uses its own SMTP engine to e-mail itself out to all the addresses it collects by searching the user's incoming and outgoing e-mail boxes. Internet Explorer users v5.01 or v5.5 - (IE 5 with the Service Pak 2 or later installed or IE 6 are not affected) will receive a blank e-mail no subject line, no body and a hidden attachment. Just opening the e-mail can infect users' PCs. For the latest Microsoft security patch, visit http://www.microsoft.com/windows/ie/download/critical/q290108/default.asp.
- Shared Drives PC users with shared drives enabled are also at risk. The worm searches for open network shares and will attempt to copy itself to these systems and then execute. IT administrators should close all network shared drives.
- Web sites When users visit a compromised Web site, the server will run a script attempting to download an Outlook file, which contains the W32.Nimda.A@mm worm. The worm will create an open network share on the infected machine allowing access to the system. W32.Nimda.A@mm specifically targets versions of IIS servers, taking advantage of the known Universal Web Traversal exploit (MS Security Bulletin MS00-078), which is similar to the exploit used in the Code Red attack. Compromised servers will display a Web page and attempt to download an Outlook file that contains the worm as an attachment. IT Administrators should download the Microsoft security patch for IIS 4.0 at http://www.microsoft.com/downloads/Release.asp?ReleaseID=32061 and for IIS v5.0 at http://www.microsoft.com/downloads/Release.asp?ReleaseID=32011.
Symantec provides additional protection against W32.Nimda.A@mm through the following solutions:
- Enterprise Security Manager ‹Symantec's policy compliance and vulnerability management system, helps manage security patch update functions. New patch templates are available that detect the underlying vulnerability on Windows NT 4.0 and Windows 2000 servers.
- NetProwler Symantec's network-based intrusion detection tool, with Security Update 8 installed, is capable of detecting attempts to attack IIS 4.0 and 5.0 servers through this vulnerability.
- NetRecon Symantec's network vulnerability assessment tool will be updated to detect if this vulnerability exists on a system and if so will provide recommendations on how to fix it.
- Symantec Enterprise Firewall (Raptor Firewall) Symantec's application inspection firewall, by default, blocks suspect outbound data traffic from web servers, like IIS, when operating on the firewall's service network, thereby stopping the propagation of this, as well as other types of attacks.
- Symantec Security Check This service, www.symantec.com/securitycheck, has been updated to scan if a system is vulnerable to this exploit.
- Norton Internet Security Symantec's integrated security and privacy suite for consumers can be updated to ensure only trusted programs access the Internet.
For detailed information about this threat, visit Symantec's Web site at www.symantec.com
Symantec Security Response
Symantec Security Response provides thorough analysis of each component of the Internet security threat and how the threats work together, while at the same time providing recommendations on how to best protect against them.
Symantec Security Response: Research Centers
Through a global network of researchers and technicians working around the clock, Symantec Security Response acts immediately, alerting customers, creating and distributing fixes to the latest security threats and vulnerabilities and providing global technical and emergency support on site or on the phone.
Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and e-mail filtering, remote management technologies and security services to enterprises around the world. Symantec's Norton brand of consumer security products leads the market in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 37 countries. For more information, please visit www.symantec.com.
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at http://www.symantec.com/PressCenter/ on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States.
Symantec, the Symantec logo, AXENT, AXENT Technologies, and the AXENT logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation or its subsidiaries. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.