Page 1 of 2 12 LastLast
Results 1 to 15 of 26
  1. #1
    New Lounger
    Join Date
    Mar 2003
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    IE 6 and NIMDA.A (IE 6)

    In today's newsletter (which is great, BTW <img src=/S/grin.gif border=0 alt=grin width=15 height=15>) there's this: "If you have IE 6, you're probably running Windows XP, and you can whistle a merry tune. You're protected." Well, I have IE6, but I've installed it on my Win2000 machine. What, if anything, do I need to do? TIA for your help!

  2. #2
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Northern, California, USA
    Posts
    1,886
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    You should be set. Just make sure that your versions of Outlook and Outlook Express are current. This virus doesn't have much to do with Internet Explorer itself, however, as Internet Explorer upgrades these software packages, it's safe to assume that you'd be alright if you've installed IE6.

    Double check your Outlook versions, but I think you should be fine. The best protection is a virus protection suite, "religiously used" as the digest put it... <img src=/S/wink.gif border=0 alt=wink width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/Kel_sig.gif>
    Moderator:<font color=448800> Pix Place, Internet Explorer</font color=448800>
    <small>www.kvisions.com

  3. #3
    3 Star Lounger
    Join Date
    Apr 2001
    Posts
    304
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    Didn't get a copy of the newsletter - can you point me in the right direction for a link, or email me a copy (jrobinso@conterra.com). Thank you.

  4. #4
    New Lounger
    Join Date
    Sep 2001
    Location
    Marietta GA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    IE6 does not protect you. At least not by itself. I hae 2 machones with Win2K (not XP) and IE 6 and both are compromised. The Microsoft site is no help, because machines with IE 6 already installed will not take the patch.

  5. #5
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    That is very strange. Microsoft claims IE6 immune to this attack. In the recent newsletter, Woody erroneously states that if you have IE6, you must have XP. This is absolutely WRONG! Most people with IE6 do NOT have XP.

    Microsoft also claims IE5.5sp2 is immune, yet Woody claims in the recent newsletter that IE5.5 is NOT immune. Who is right?? Woody's newsletter seems to be in direct contradistinction to what Microsoft says here:
    http://www.microsoft.com/technet/treeview/...opics/Nimda.asp

    Of note, MS states that IE5..01sp2, EI5.5sp2, and IE6 are ALL immune to this attack. Is this true?

    One thing that seems to be true is that as a private user, you can prevent this attack by making SURE your Outlook or Outlook Express opens into the Restricted sites Zone -- plus make sure your Restricted sites is FULLY Disabled INCLUDING File Downloads. This alone should protect most users.

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    IE5.5 was on SP1 at the time the "malformed headers" vulnerability was discovered in March 2001. IE5.5 SP2, which issued in August, should include the patch. IE5.01 was on SP2 at the time the patch issued, and for some reason, the vulnerability had already been removed. Does that clarify the 5.x situation?

    As far as I know, we did not roll out SP2 to everyone (in fact, until I got this new computer on Monday, I was very happy with IE5.01 SP2). However, we did download the original patch and put it on our "to do" list. <img src=/S/smile.gif border=0 alt=smile width=15 height=15> Even better, our AV software was updated within hours of the discovery of the worm/virus, and earlier this year we put OL in the Restricted Zone. So, belt, suspenders, and duct tape... hopefully every user has at least one layer of protection against this one.

    (My earlier comments on OL security are <A target="_blank" HREF=http://www.wopr.com/cgi-bin/w3t/showthreaded.pl?Cat=&Board=out&Number=65453>here</A>.

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    It is certainly clarified for me. I only regret that Woody was unable to clarify that in his newsletter before sending it out! I also regret that Woody did not highlight one of the simplest ways to prevent this type of worm:

    If everyone had Outlook and OE opening in their Restricted sites -- and had their Restricted sites completely "Disabled", this worm and many others would be stopped dead.

    (At least in terms of HOME users; I agree this would not prevent the problem with web servers).

    This single sentence should have been placed at the beginning of Woody's newsletter -- as this very simple action is one of the most important ways to prevent the spread of many viruses and worms. Not the only way, but it is SO simple and easy that it should be broadcasted everywhere. It only takes a few seconds...

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    I think mail is the primary vector, but the browser update remains worthwhile because web sites could host nasty .eml files, or so MS says, and those would download if Internet security is defaulted to Medium. I've always been wary of the Windows Update and Office Update sites, but used them last night and found it hugely convenient not to have to download 10 individual patches and restart 10 times. Still had to insert both Office CDs, though, so it's not really transparent yet.

  9. #9
    5 Star Lounger
    Join Date
    Feb 2001
    Location
    Youngstown, Ohio, USA
    Posts
    705
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    I have to warn that IE6 is NOT immune to Nimda. Our IT went around and upgraded the office pc's yesterday (mine from 5.5SP2) to IE6 in order to insulate us from this worm. Thankfully my antivirus (Inoculate It) was also updated.

    One of the sites I browsed my way to yesterday (after the upgrade) had apparently been compromised by Nimda, and IE6 did nothing to prevent infection.

    I had customized my Internet security zone to be more protective than the default level. Privacy had been set to block all cookies except for session cookies and those from sites specifically authorized (like Woody's).

    Today I've gone the extra step and in IE's Advanced | Multimedia settings I have disabled web pages from playing sounds (to counter Nimda's .WAV as .EXE problem).

    Thankfully, <img src=/S/meltdown.gif border=0 alt=meltdown width=15 height=15> was prevented, but not in any way due to upgrading to IE 6.0.

  10. #10
    5 Star Lounger
    Join Date
    Feb 2001
    Location
    Youngstown, Ohio, USA
    Posts
    705
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    I went through my Internet security zone and set everything to at least "Prompt". It may make browsing a bit more annoying (or a lot, depending on the site), but it looks like this might be a reasonable balance between vulnerability and still being able to access full web features.

    The site I went to yesterday (Digicerf) did try to run a .EML file -- virtually instantly. Before any part of the web site had begun to display, Inoculate was reporting the Nimda.A attacks (real-time protection log file attached).

    The other piece of advice... until this virus runs its course, I'll be curtailing my browsing, even to trusted sites.
    Attached Files Attached Files

  11. #11
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    David, you bring up a very good point. There are MULTIPLE ways that Nimda is spread. ONE of these is due to it arriving in your Outlook Inbox as an Email Attachment named "readme.exe". The worm can also arrive if you simply visit a Web site -- presumably as a downloaded file which is reportedly an .eml file.

    The specific technique (vector?) that seems to be the focus of the Microsoft Security Bulletins (listed below) is the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" issue. All of the patches and fixes referenced seem to relate only to the Email Attachment issue. They do not seem to address the problem that may occur if you simply visit a web page.

    I suspect the changes that need to be made to Secure your system will extend beyond blocking cookies and sounds. I suspect the Internet Zone will require blocking of File Downloads -- at the least -- and likely ActiveX and Scripting. Until I can find out more, this action should at least protect you from getting infected by visiting Web pages.

    Microsoft References:
    <A target="_blank" HREF=http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp>http://www.microsoft.com/technet/treeview/...opics/Nimda.asp</A>
    <A target="_blank" HREF=http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp>http://www.microsoft.com/technet/treeview/...in/MS01-020.asp</A>
    <A target="_blank" HREF=http://www.microsoft.com/technet/security/bulletin/MS01-027.asp>http://www.microsoft.com/technet/security/...in/MS01-027.asp</A>

    Perhaps I have my answer <A target="_blank" HREF=http://support.microsoft.com/support/kb/articles/q290/1/08.ASP>here</A>

    "The malicious user could host an affected HTML e-mail message on a Web site and try to persuade other users to visit the site, at which point *script* on a Web page could open the mail and run the attachment."

    OK, if I take that at face value, then I am lead to believe that Active Scripting is responsible for this infection. So blocking Active Scripting should stop a Web page from giving you this worm.

    Now, WHY does this still work in IE6 -- wasn't this supposed to be fixed???

  12. #12
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Northern, California, USA
    Posts
    1,886
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    InnoculateIT has been axed, are there any other good free virus scanners?

    Thanks!
    <IMG SRC=http://www.wopr.com/w3tuserpics/Kel_sig.gif>
    Moderator:<font color=448800> Pix Place, Internet Explorer</font color=448800>
    <small>www.kvisions.com

  13. #13
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    There are many with 30-day evaluation periods. Try them all! <img src=/S/grin.gif border=0 alt=grin width=15 height=15> But seriously, we like Trend Micro products, and you could evaluation <A target="_blank" HREF=http://www.antivirus.com/pc-cillin/download/download.asp>PC-Cillin</A>.

  14. #14
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    I use Norton, but other free ones that people like are these:

    <A target="_blank" HREF=http://www.grisoft.com/html/us_downl.cfm>AVG AntiVirus</A>
    <A target="_blank" HREF=http://www.kaspersky.com/products.asp?tgroup=2&pgroup=10>Kaspersky</A>

    I believe all the reports I have read consistently state that Web pages that spread this virus via Javascript. So, if Active Scripting is disabled in your Internet Zone, you should not be infected in this manner.

  15. #15
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: IE 6 and NIMDA.A (IE 6)

    As a follow up, Woody's newsletter said the Nimda was not masquerading as a wav file, yet the most recent reports from Bugtraq are:

    Infection vectors:
    - -----------------
    a) Email as an attachment of MIME audio/x-wav type. (Ed: **note the x-wav type)
    [img]/forums/images/smilies/cool.gif[/img] By browsing an infected webserver with Javascript execution enabled and using a version of IE vulnerable to the exploits discussed in MS01-020.
    c) Machine to machine in the form of IIS attacks (primarily attempting to exploit vulnerabilities created by the effects of Code Red II, but also vulnerabilities previously patched by MS00-078)
    d) Highlighting either a .eml or .nws in Explorer with Active Desktop enabled (W2K/ME/W98 by default) then the THUMBVW.DLL will execute the file and attempt to download the README.EXE referenced in it (depending on your IE version and zone settings).
    e) Mapped drives. Any infected machine which has mapped network drives will likely infect all of the files on the mapped drive and its subdirectories.

    To prevent yourself from being infected;

    a) Ensure all IE versions have applied MS01-027 (or are IE 5.01SP2 or above)

    [img]/forums/images/smilies/cool.gif[/img] Disable Active Scripting in IE

    c) Ensure all IIS installations have applied MS01-044 (or at the very least MS01-033)

    d) Use the CALCS program to modify the permissions on TFTP.EXE to remove all use;

    CALCS %systemroot%/system32/tftp.exe /D Everyone
    CALCS %systemroot%/system32/tftp.exe /D System

    Do the same for CMD.EXE
    (note, this could be tried with THUMBVM.DLL as well, haven't tried this myself yet)

    e) Ensure that TFTP is not permitted out through your network gateway (note that newly infected machines may try and TFTP *internally* from some other infected machine you have on your network)

    f) Modify or remove:

    HKEY_CLASSES_ROOT.eml
    HKEY_CLASSES_ROOT.nws

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •