posted on September 19, 2001 05:16:32 AM
I believe that is what this means. I just spent the morning updating our virus DAT files and running the current service pack for Internet Explorer.
My husbands workplace has stopped ALL web browsing for employees right now. I've been reading the notices etc. but find them somewhat vague. I am thinking about creating a rule for Outlook Express that will block all attachments from being delivered into our Inbox.
Until I have time to read about this new threat, that's what I'm going to do.
"Most home users, including those running Windows 95, 98 or ME, can also be infected via an infected e-mail or through a company network" "In addition to direct Internet attacks, the worm can also travel via e-mail. The e-mail message is typically blank, and contains an attachment called "README.EXE." Antivirus experts warn that users shouldn't open unexpected attachments."
If you are running virus software, make sure your DAT files are current. If you're not using virus protection, you should be.
From McAfee's site:
It attempts to create a share C:, and checks for the presence of the Trojan dropped by the W32/CodeRed.c worm. It will attempt to spread itself as follows:
The email messages created by the worm specify a content-type of audio/x-wav with an executable attachment type. Thus when a message is accessed, the attachment can be executed even if the user does not open it and without the user's knowledge.
It adds JavaScript code to HTML documents, which opens a new browser window containing the infectious email message itself (taken from the dropped file README.EML). When this infected window is accessed (locally or remotely), the machine viewing the page is then infected.
Once infected, your system is used to seek out others to infect over the web. As this creates a lot of port scanning, this can cause a network traffic jam.
It creates a SYSTEM.INI entry to load the worm at startup:
Shell=explorer.exe load.exe -dontrunold
A MIME encoded version of the work is created in each folder on the drive (often as README.EML, can also be .NWS files)
Certain execuatble files are selected by the worm and altered.
The virus contains the string : Concept Virus (CV) V.5, Copyright (C) 2001 R.P.China
[ edited by Meya on Sep 19, 2001 05:17 AM ]
posted on September 19, 2001 05:19:29 AM
One of the latest threats is from a virus you can pick up by visiting infected websites.
FYI, last week Norton's picked up 3 incoming messages with the W32.Magistr.39921@mm virus which is apparently spreading pretty fast.
Eveyone should make sure their virus protection is up to date. Atleast THIS time I was ready! The barn door got shut BEFORE the horse got out this time.
Isn't this one particularly vile because the attached virus is in a hidden attachment which isn't always seen? Or am I reading the Norton's info on it incorrectly?
posted on September 19, 2001 05:29:33 AM
I must not be quite awake this morning, because I'm having trouble grasping what I'm reading. Here's more info from Symantec's site:
Symantec Security Response has received a number of submissions on W32.Nimda.A@mm and is rating it as a Category 4.
W32.Nimda.A@mm is a new mass-mailing worm that utilizes multiple methods to spread itself. The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.
When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Users visiting compromised Web servers will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. This .eml file also uses the aforementioned MIME exploit. Users can disable 'File Download' in their internet security zones to prevent compromise.
Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.
Make sure you run the Patches from Microsoft. I have done that on our two desktop systems this morning and have to take care of my portable system when I get home from work.
posted on September 19, 2001 06:39:47 AM
Norton's, of course, is excellent virus protection if you keep it updated. I also like to use, as a backup virus check, housecall - http://housecall.antivirus.com/
They have a free virus check you can use and tons of useful info...
posted on September 19, 2001 06:59:59 AM
eventer, that's how I read it also. That although the email has an infected attachment, it doesn't show in your inbox as having an attachment at all.
posted on September 19, 2001 08:04:09 AM
The Microsoft web site has a patch for the virus and says it is for users of IE 5.01 and higher. I am using IE 5.0 so what do I do???
I have Norton and I just updated it so do I still have to worry about a patch?
posted on September 19, 2001 09:09:48 AM
My father-in-law works for the IRS and they just told them to shut all their computers because of the virus, but that's all I know.
It might have been the Nimda virus... Anyone know anything else about it?
posted on September 19, 2001 10:05:59 AM
One way to prevent this worm is to set your Outlook (or Outlook Express) and Internet Explorer to "High" Security. This will prevent your email client from sending out this worm, and your browser will not accidentally download the worm.
Below are instructions on how to configure your e-mail client and browser for "High" Security.
_____________________________________________________________
Outlook and Outlook Express Java Security in 2 simple steps:
Move e-mail client into Internet Explorer's Restricted Sites Zone.
1. In Outlook Express, select Options from the Tools menu and select the Security tab. Select the radio button labeled Restricted Sites zone, place a checkmark in your preferences, then click OK. If you're using Outlook, select Options from the Tools menu and select the Security tab. Select Restricted Sites in the pull-down box labeled Zone, then click OK.
2. CHANGE security settings in the IE "RESTRICTED SITES" Security Zone. Disable scripts, ActiveX®, Java and everything else.
posted on September 19, 2001 10:38:06 AM
You can usually set Outlook (and probably other email clients) to run with no preview to prevent such worms from running when they land.
