Tue Sep 18 15:55:17 PDT 2001 — W32.Nimda.A@mm virus/worm. We’re currently seeing no impact from this virus/worm that end users will notice, but it is busy attempting to spread itself on the Internet. Currently, almost 70% of the hits on our web server are by infected hosts attempting to spread the infection. Our load balanced array of web servers is holding up well.
We recommend firewall software for all Internet connected systems. We recommend the award winning “Zone Alarm” software firewall product. To purchase, visit the following URL:
This new worm/virus is unique because it uses many methods to attempt to spread itself. Like “Code Red”, it spreads to un-patched Microsoft IIS servers. Sonic.net does not use Microsoft operating systems, and is currently working to notify our customers if they become infected. Note that the vulnerability in IIS which the new “Nimda” worm uses was patched in October of 2000, almost a year ago, so any customers hosting IIS machines which are up to date have not been infected.
Nimda also uses email to spread, taking the form of a “readme.exe” or “readme.eml” file. Sonic.net is filtering for emails containing these viruses, so it should never end up in your mailbox. If you do receive a suspicious attachment, please do NOT open it, instead forward it over to firstname.lastname@example.org. It’s possible for viruses to change over time, and we may need to update our filters.
The virus also uses shared Windows filesystems to spread itself – you should not share your filesystems with any systems you do not trust and which you do not know are secure.
Please post to news:sonic.net if you have any questions or comments about this new virus/worm.
-Dane, Kelsey, Eli, Russ, Scott, Steve, Chris and Matt