New Worm (was Re: [thelist] another worm?)

Craig Saila crsaila at
Tue Sep 18 12:08:40 CDT 2001

aardvark wrote:

> ok, a few of our clients were hit this morning by something that 
> tries to get your browser (on windows) to download a .eml file 
> which it would then launch via an .exe...
> i can't get to any virus sites, since all web traffic coming and going 
> is pretty hosed right now...

At McAfee, the most recent virus update is from the 11th. Strikes me 
they haven't updated the page since, as it seems a new virus was posted 
every day previous to then.

Symantec, however lists a new worm called W32.Nimda.A at mm that matches 
the profile. Details:
"This is the preliminary information known at this time.

Symantec has received a number of submissions and has assessed this as a 
level 4 threat rating.

There is a new mass-mailing worm that utilizes email to propagate 
itself. The threat arrives as readme.exe in an email.

In addition, the worm sends out probes to IIS servers attempting to 
spread by using the Unicode Web Traversal exploit similar to 
W32.BlueCode.Worm. Compromised servers may display a webpage prompting a 
visitor to download an Outlook file which contains the worm as an 

Also, the worm will create an open network share allowing access to the 
system. The worm will also attempt to spread via open network shares."

Craig Saila
craig at  :

Do You Yahoo!?
Get your free address at

More information about the thelist mailing list