Virus, Nimda question

Nimda question

Author	Message
Marc Hoffma #1 / 8	Nimda question Hi All... Recently, one of the local ISP's web server got hit with Nimda; the virus would try to infect anyone and everyone even visiting the site. The ISP was running IIS 4.0 on Windows NT 4. I asked them why they could get infected, since a patch that would have prevented this problem has been available form Microsoft for a year now. They told me that they had all the security patches in place. The only reason that their web server got infected is that one of their clients uploaded the virus along with his webpage. Could this really cause their web server to start spreading the virus, even though all patches were in place? Thanks in advance....
Tue, 16 Mar 2004 05:22:09 GMT

Kevin Kingsto #2 / 8	Nimda question As far as I'm aware this virus affects webservers, the places where web pages are stored, not individual webpages. When a webserver gets infected with this virus, it then tries to contact other vulnerable webservers. If a webserver hasn't been patched, it is then vulnerable, if it has been pathced it will not be vulnerable and ignore requests from infected webserver. Obviously this ISP you were talking to hadn't pathced their machine, and are probably lying to you. Kev Quote: > Hi All... > Recently, one of the local ISP's web server got hit with Nimda; the virus > would try to infect anyone and everyone even visiting the site. The ISP was > running IIS 4.0 on Windows NT 4. I asked them why they could get infected, > since a patch that would have prevented this problem has been available form > Microsoft for a year now. They told me that they had all the security > patches in place. The only reason that their web server got infected is that > one of their clients uploaded the virus along with his webpage. Could this > really cause their web server to start spreading the virus, even though all > patches were in place? > Thanks in advance....
Tue, 16 Mar 2004 22:36:02 GMT

Robert Moi #3 / 8	Nimda question Quote: > Hi All... > Recently, one of the local ISP's web server got hit with Nimda; the virus > would try to infect anyone and everyone even visiting the site. The ISP was > running IIS 4.0 on Windows NT 4. I asked them why they could get infected, > since a patch that would have prevented this problem has been available form > Microsoft for a year now. They told me that they had all the security > patches in place. The only reason that their web server got infected is that > one of their clients uploaded the virus along with his webpage. Could this > really cause their web server to start spreading the virus, even though all > patches were in place? Nah they haven't given you the complete story. If you copy a file that contains a virus onto a server you have not infected that server. It's simply a passive carrier of the file containing the virus. Imagine I give you a flask containing a flu virus. Are you infected with the flu while you have that flask in your hands? Lets tip the solution it's in out of the flask into your cupped hands, are you infected yet? Nope! Same thing with servers that people copy files to and from. The machine only becomes "infected" and actively starts attempting to spread the virus and infect people when the virus program code is executed on the machine in question, via a security hole or someone sitting at the console and double-clicking an infected file, or whatever. -- -- Robert Moir, Microsoft MVP To search the MS Knowledge base use the link below: http://support.microsoft.com/support/search/c.asp?PSL=1 My Homepage - http://www.robertmoir.co.uk Emailed questions will not be answered
Wed, 17 Mar 2004 01:03:13 GMT

Daniel Wolf #4 / 8	Nimda question The NIMDA virus does affect individual web pages - it adds a small script section to the end of the web page which automatically downloads an infected executable as well Microsoft had the same problem (so they claimed) with http://www.microsoft.com/frontpage they claimed that some of the images on their pages were created by an outside agency and were then copied onto their servers - however apparently the readme.eml file that is downloaded was not included and hence nobody got infected Please see http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 for details Yours Daniel Wolff (NAI employee) Quote: > As far as I'm aware this virus affects webservers, the places where web > pages are stored, not individual webpages. When a webserver gets infected > with this virus, it then tries to contact other vulnerable webservers. If a > webserver hasn't been patched, it is then vulnerable, if it has been pathced > it will not be vulnerable and ignore requests from infected webserver. > Obviously this ISP you were talking to hadn't pathced their machine, and are > probably lying to you. > Kev > > Hi All... > > Recently, one of the local ISP's web server got hit with Nimda; the virus > > would try to infect anyone and everyone even visiting the site. The ISP > was > > running IIS 4.0 on Windows NT 4. I asked them why they could get infected, > > since a patch that would have prevented this problem has been available > form > > Microsoft for a year now. They told me that they had all the security > > patches in place. The only reason that their web server got infected is > that > > one of their clients uploaded the virus along with his webpage. Could this > > really cause their web server to start spreading the virus, even though > all > > patches were in place? > > Thanks in advance....
Sat, 20 Mar 2004 04:59:08 GMT

Emulato #5 / 8	Nimda question Hi Daniel... So this is possible. But...if the IIS server is patched with all the necessary fixes, can one still infect it by uploading an infected web document? What I'm trying to figure out is if this ISP was telling me the truth... Thanks... Quote: > Organization: Posted via Supernews, http://www.supernews.com > Newsgroups: microsoft.public.scripting.virus.discussion > Date: Mon, 1 Oct 2001 21:59:08 +0100 > Subject: Re: Nimda question > The NIMDA virus does affect individual web pages - it adds a small script > section > to the end of the web page which automatically downloads an infected > executable as > well > Microsoft had the same problem (so they claimed) with > http://www.microsoft.com/frontpage > they claimed that some of the images on their pages were created by an > outside agency > and were then copied onto their servers - however apparently the readme.eml > file that is > downloaded was not included and hence nobody got infected > Please see http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 for details > Yours > Daniel Wolff > (NAI employee) >> As far as I'm aware this virus affects webservers, the places where web >> pages are stored, not individual webpages. When a webserver gets infected >> with this virus, it then tries to contact other vulnerable webservers. If > a >> webserver hasn't been patched, it is then vulnerable, if it has been > pathced >> it will not be vulnerable and ignore requests from infected webserver. >> Obviously this ISP you were talking to hadn't pathced their machine, and > are >> probably lying to you. >> Kev >>> Hi All... >>> Recently, one of the local ISP's web server got hit with Nimda; the > virus >>> would try to infect anyone and everyone even visiting the site. The ISP >> was >>> running IIS 4.0 on Windows NT 4. I asked them why they could get > infected, >>> since a patch that would have prevented this problem has been available >> form >>> Microsoft for a year now. They told me that they had all the security >>> patches in place. The only reason that their web server got infected is >> that >>> one of their clients uploaded the virus along with his webpage. Could > this >>> really cause their web server to start spreading the virus, even though >> all >>> patches were in place? >>> Thanks in advance....
Sun, 21 Mar 2004 04:52:53 GMT

Robert Moi #6 / 8	Nimda question Quote: > Hi Daniel... > So this is possible. But...if the IIS server is patched with all the > necessary fixes, can one still infect it by uploading an infected web > document? What I'm trying to figure out is if this ISP was telling me the > truth... Lets clear something up. Viruses and Worms like nimda are programs like any other. They only get executed, get loaded into memory and run and do their stuff, if someone executes them (either legitmately or via an security hole). If I copy a virus onto your web server via FTP (as one would when uploading a web page) then I haven't executed any code on your server, therefore your server is not "infected". It might be storing the virus code on it's disk but it isn't doing anything with it. No problem. Therefore if someone got their home machine infected with nimda and uploaded a compromised file to their site on the ISP, the ISP's server will not be "infected" but anyone viewing the compromised file that was uploaded may experience problems. So in the example you quoted originally, if you view the webpage where a innocent user uploaded compromised files by mistake, you could indeed find nimda trying to infect you. If every damn page on that web server, including those that end users would not be having anything to do with is trying to infect people, I would say they are being less than honest with you. Does that help? -- -- Robert Moir, Microsoft MVP To search the MS Knowledge base use the link below: http://support.microsoft.com/support/search/c.asp?PSL=1 My Homepage - http://www.robertmoir.co.uk Emailed questions will not be answered
Sun, 21 Mar 2004 05:40:15 GMT

Orhan O. Ba #7 / 8	Nimda question Hi.... just visit http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 and see what does Nimda do in many ways !!! this visit will be cleared up most of your hesitations I guess. Quote: > Hi All... > Recently, one of the local ISP's web server got hit with Nimda; the virus > would try to infect anyone and everyone even visiting the site. The ISP was > running IIS 4.0 on Windows NT 4. I asked them why they could get infected, > since a patch that would have prevented this problem has been available form > Microsoft for a year now. They told me that they had all the security > patches in place. The only reason that their web server got infected is that > one of their clients uploaded the virus along with his webpage. Could this > really cause their web server to start spreading the virus, even though all > patches were in place? > Thanks in advance....
Sun, 21 Mar 2004 20:15:45 GMT

Orhan O. Ba #8 / 8	Nimda question Hi.... just visit http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 and see what does Nimda do in many ways !!! And also http://norman.com/virus_info/w32_nimda.shtml will be helpful visits will be cleared up most of your hesitations I guess. Quote: > Hi All... > Recently, one of the local ISP's web server got hit with Nimda; the virus > would try to infect anyone and everyone even visiting the site. The ISP was > running IIS 4.0 on Windows NT 4. I asked them why they could get infected, > since a patch that would have prevented this problem has been available form > Microsoft for a year now. They told me that they had all the security > patches in place. The only reason that their web server got infected is that > one of their clients uploaded the virus along with his webpage. Could this > really cause their web server to start spreading the virus, even though all > patches were in place? > Thanks in advance....
Sun, 21 Mar 2004 20:19:20 GMT

Page 1 of 1

[ 8 post ]