Anyone who has Samba running in a mixed NT/Linux network would be advised to
close off any external access to the 'net - there's a particularly fun IIS
worm out there hammering links today.
Here's a summary of what it does;
----
From: Mo McKinlay
This seems to be the culprit:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
It is. It's also known as "w32.nimda.mm". From what I can tell, it's delivered by: a) visiting an infected site while using vulnerable browser+e-mail client b) recieving e-mail from infected host c) IIS directory traversal exploit (a la codeblue, which I'm informed was never seen in the wild) d) open SMB/CIFS shares It then goes on to: * perform *numerous* registry hacks - it seems to alter the nameserver setting of the TCP interface. * append a small piece of malicious javascript to your default webpage so that attack vector (a) happens. * alter the security on your default shares * alter the performance logging configuration * attempt to propagate itself to addresses in your /24, then /16. * attempt to propagate itself via e-mail * attempt to propagate itself to open SMB/CIFS shares * I've had reports that uses tftp to grab something.. can't ascertain what/from where, though. this could be confusion. * it references winzip32.exe for some purpose (could support the previous report) * alters your startup parameters to ensure it's re-run at boot time. That's what I can gather from the various reports, and from scanning the readme.exe. ---- As such, it's an NT-hitter, but it still emits lots of Code-Red style port 80 attacks; and could propagate through open SMB shares. I think /. has just run a story on it; I think it's on NT Bugtraq, but can't remember where. See also http://www.sophos.com/virusinfo/analyses/w32nimdaa.html cheers, Gideon.