Nimda question 
Author Message
 Nimda question

Hi All...

Recently, one of the local ISP's web server got hit with Nimda; the virus
would try to infect anyone and everyone even visiting the site. The ISP was
running IIS 4.0 on Windows NT 4. I asked them why they could get infected,
since a patch that would have prevented this problem has been available form
Microsoft for a year now. They told me that they had all the security
patches in place. The only reason that their web server got infected is that
one of their clients uploaded the virus along with his webpage. Could this
really cause their web server to start spreading the virus, even though all
patches were in place?

Thanks in advance....



Tue, 16 Mar 2004 05:22:09 GMT  
 Nimda question
As far as I'm aware this virus affects webservers, the places where web
pages are stored, not individual webpages.  When a webserver gets infected
with this virus, it then tries to contact other vulnerable webservers.  If a
webserver hasn't been patched, it is then vulnerable, if it has been pathced
it will not be vulnerable and ignore requests from infected webserver.
Obviously this ISP you were talking to hadn't pathced their machine, and are
probably lying to you.

Kev


Quote:
> Hi All...

> Recently, one of the local ISP's web server got hit with Nimda; the virus
> would try to infect anyone and everyone even visiting the site. The ISP
was
> running IIS 4.0 on Windows NT 4. I asked them why they could get infected,
> since a patch that would have prevented this problem has been available
form
> Microsoft for a year now. They told me that they had all the security
> patches in place. The only reason that their web server got infected is
that
> one of their clients uploaded the virus along with his webpage. Could this
> really cause their web server to start spreading the virus, even though
all
> patches were in place?

> Thanks in advance....



Tue, 16 Mar 2004 22:36:02 GMT  
 Nimda question


Quote:
> Hi All...

> Recently, one of the local ISP's web server got hit with Nimda; the virus
> would try to infect anyone and everyone even visiting the site. The ISP
was
> running IIS 4.0 on Windows NT 4. I asked them why they could get infected,
> since a patch that would have prevented this problem has been available
form
> Microsoft for a year now. They told me that they had all the security
> patches in place. The only reason that their web server got infected is
that
> one of their clients uploaded the virus along with his webpage. Could this
> really cause their web server to start spreading the virus, even though
all
> patches were in place?

Nah they haven't given you the complete story. If you copy a file that
contains a virus onto a server you have not infected that server. It's
simply a passive carrier of the file containing the virus. Imagine I give
you a flask containing a flu virus. Are you infected with the flu while you
have that flask in your hands? Lets tip the solution it's in out of the
flask into your cupped hands, are you infected yet? Nope!

Same thing with servers that people copy files to and from. The machine only
becomes "infected" and actively starts attempting to spread the virus and
infect people when the virus program code is executed on the machine in
question, via a security hole or someone sitting at the console and
double-clicking an infected file, or whatever.

--
--
Robert Moir, Microsoft MVP
To search the MS Knowledge base use the link below:
http://support.microsoft.com/support/search/c.asp?PSL=1
My Homepage - http://www.robertmoir.co.uk
** Emailed questions will not be answered **



Wed, 17 Mar 2004 01:03:13 GMT  
 Nimda question
The NIMDA virus *does* affect individual web pages - it adds a small script
section
to the end of the web page which automatically downloads an infected
executable as
well

Microsoft had the same problem (so they claimed) with
http://www.microsoft.com/frontpage
they claimed that some of the images on their pages were created by an
outside agency
and were then copied onto their servers - however apparently the readme.eml
file that is
downloaded was not included and hence nobody got infected

Please see http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 for details

Yours

Daniel Wolff
(NAI employee)


Quote:
> As far as I'm aware this virus affects webservers, the places where web
> pages are stored, not individual webpages.  When a webserver gets infected
> with this virus, it then tries to contact other vulnerable webservers.  If
a
> webserver hasn't been patched, it is then vulnerable, if it has been
pathced
> it will not be vulnerable and ignore requests from infected webserver.
> Obviously this ISP you were talking to hadn't pathced their machine, and
are
> probably lying to you.

> Kev



> > Hi All...

> > Recently, one of the local ISP's web server got hit with Nimda; the
virus
> > would try to infect anyone and everyone even visiting the site. The ISP
> was
> > running IIS 4.0 on Windows NT 4. I asked them why they could get
infected,
> > since a patch that would have prevented this problem has been available
> form
> > Microsoft for a year now. They told me that they had all the security
> > patches in place. The only reason that their web server got infected is
> that
> > one of their clients uploaded the virus along with his webpage. Could
this
> > really cause their web server to start spreading the virus, even though
> all
> > patches were in place?

> > Thanks in advance....



Sat, 20 Mar 2004 04:59:08 GMT  
 Nimda question
Hi Daniel...

So this is possible. But...if the IIS server is patched with all the
necessary fixes, can one still infect it by uploading an infected web
document? What I'm trying to figure out is if this ISP was telling me the
truth...

Thanks...

Quote:

> Organization: Posted via Supernews, http://www.supernews.com
> Newsgroups: microsoft.public.scripting.virus.discussion
> Date: Mon, 1 Oct 2001 21:59:08 +0100
> Subject: Re: Nimda question

> The NIMDA virus *does* affect individual web pages - it adds a small script
> section
> to the end of the web page which automatically downloads an infected
> executable as
> well

> Microsoft had the same problem (so they claimed) with
> http://www.microsoft.com/frontpage
> they claimed that some of the images on their pages were created by an
> outside agency
> and were then copied onto their servers - however apparently the readme.eml
> file that is
> downloaded was not included and hence nobody got infected

> Please see http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 for details

> Yours

> Daniel Wolff
> (NAI employee)



>> As far as I'm aware this virus affects webservers, the places where web
>> pages are stored, not individual webpages.  When a webserver gets infected
>> with this virus, it then tries to contact other vulnerable webservers.  If
> a
>> webserver hasn't been patched, it is then vulnerable, if it has been
> pathced
>> it will not be vulnerable and ignore requests from infected webserver.
>> Obviously this ISP you were talking to hadn't pathced their machine, and
> are
>> probably lying to you.

>> Kev



>>> Hi All...

>>> Recently, one of the local ISP's web server got hit with Nimda; the
> virus
>>> would try to infect anyone and everyone even visiting the site. The ISP
>> was
>>> running IIS 4.0 on Windows NT 4. I asked them why they could get
> infected,
>>> since a patch that would have prevented this problem has been available
>> form
>>> Microsoft for a year now. They told me that they had all the security
>>> patches in place. The only reason that their web server got infected is
>> that
>>> one of their clients uploaded the virus along with his webpage. Could
> this
>>> really cause their web server to start spreading the virus, even though
>> all
>>> patches were in place?

>>> Thanks in advance....



Sun, 21 Mar 2004 04:52:53 GMT  
 Nimda question


Quote:
> Hi Daniel...

> So this is possible. But...if the IIS server is patched with all the
> necessary fixes, can one still infect it by uploading an infected web
> document? What I'm trying to figure out is if this ISP was telling me the
> truth...

Lets clear something up. Viruses and Worms like nimda are programs like any
other. They only get executed, get loaded into memory and run and do their
stuff, if someone executes them (either legitmately or via an security
hole). If I copy a virus onto your web server via FTP (as one would when
uploading a web page) then I haven't executed any code on your server,
therefore your server is not "infected". It might be storing the virus code
on it's disk but it isn't doing anything with it. No problem.

Therefore if someone got their home machine infected with nimda and uploaded
a compromised file to their site on the ISP, the ISP's server will not be
"infected" but anyone viewing the compromised file that was uploaded may
experience problems. So in the example you quoted originally, if you view
the webpage where a innocent user uploaded compromised files by mistake, you
could indeed find nimda trying to infect you. If every damn page on that web
server, including those that end users would not be having anything to do
with is trying to infect people, I would say they are being less than honest
with you.

Does that help?

--
--
Robert Moir, Microsoft MVP
To search the MS Knowledge base use the link below:
http://support.microsoft.com/support/search/c.asp?PSL=1
My Homepage - http://www.robertmoir.co.uk
** Emailed questions will not be answered **



Sun, 21 Mar 2004 05:40:15 GMT  
 Nimda question

Hi....

just visit http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 and see
what does Nimda do in many ways !!!

this visit will be cleared up most of your hesitations I guess.


Quote:
> Hi All...

> Recently, one of the local ISP's web server got hit with Nimda; the virus
> would try to infect anyone and everyone even visiting the site. The ISP
was
> running IIS 4.0 on Windows NT 4. I asked them why they could get infected,
> since a patch that would have prevented this problem has been available
form
> Microsoft for a year now. They told me that they had all the security
> patches in place. The only reason that their web server got infected is
that
> one of their clients uploaded the virus along with his webpage. Could this
> really cause their web server to start spreading the virus, even though
all
> patches were in place?

> Thanks in advance....



Sun, 21 Mar 2004 20:15:45 GMT  
 Nimda question

Hi....

just visit http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 and see
what does Nimda do in many ways !!!

And also http://norman.com/virus_info/w32_nimda.shtml will be helpful

visits will be cleared up most of your hesitations I guess.


Quote:
> Hi All...

> Recently, one of the local ISP's web server got hit with Nimda; the virus
> would try to infect anyone and everyone even visiting the site. The ISP
was
> running IIS 4.0 on Windows NT 4. I asked them why they could get infected,
> since a patch that would have prevented this problem has been available
form
> Microsoft for a year now. They told me that they had all the security
> patches in place. The only reason that their web server got infected is
that
> one of their clients uploaded the virus along with his webpage. Could this
> really cause their web server to start spreading the virus, even though
all
> patches were in place?

> Thanks in advance....



Sun, 21 Mar 2004 20:19:20 GMT  
 
 [ 8 post ] 

 Relevant Pages 

1. Win32 Nimda.A@mm (dr) and Win32 Nimda.E@mm (dr)

2. W32.Nimda.A@mm and W32.Nimda.enc

3. Nimda & WinXP beta 2 question

4. W32.Nimda.enc

5. NIMDA virus

6. removal of nimda virus

7. Nimda Removal

8. Nimda

9. Nimda Virus

10. nimda

11. Nimda/Code Red Log File Entries

12. NIMDA VIRUS

 

 
Powered by phpBB® Forum Software