File: 1290.txt

package info (click to toggle)
snort 2.9.15.1-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 59,656 kB
  • sloc: ansic: 310,441; sh: 13,260; makefile: 2,943; yacc: 497; perl: 496; lex: 261; sed: 14
file content (81 lines) | stat: -rw-r--r-- 2,169 bytes parent folder | download | duplicates (8) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
Rule:  

--
Sid:
1290

--
Summary:
This event is generated when an attempt is made to load and run
readme.eml, which is used as an infection vector for the nimda worm.

--
Impact:
The source address is likely infected with the Nimda worm. The
destination, without adequate AntiVirus protection and the proper
patches, may now be infected and may attempt to infect other hosts using
this or any of the other infection vectors that the Nimda worm uses.

--
Detailed Information:
The nimda worm affects Microsoft Windows systems and attempts to spread
via email, network shares and Microsoft IIS servers. A compromised
server will attempt to spread and infect other vulnerable hosts.

--
Affected Systems:
	Microsoft Windows 95, 98, ME, NT and 2000 

--
Attack Scenarios:
This is worm activity.

--
Ease of Attack:
Simple. Nimda is a worm, so the attack is automated. Exposure of unprotected
systems to the internet has been know to result in an infection within
15 minutes.

--
False Positives:
None Known
Web pages containing the Javascript as text in a web page may activate
this alert. Web-sites detailing Nimda infection vectors may also trigger this event.

--
False Negatives:
Nimda has multiple infection vectors. This rule alone will only detect
a particular type.

--
Corrective Action:
Ensure all servers within your domain are protected to the appropriate
patch-levels to mitigate infection and spread of the Nimda worm.

Ensure network clients in your domain are also appropriately patched and are
running up to date AntiVirus software.

--
Contributors:
Original rule writer unknown
Snort documentation contributed by Giles Coochey	and Josh Gray
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:

CERT:
http://www.cert.org/advisories/CA-2001-26.html

Cisco:
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/snam_wp.htm

Microsoft:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/NimdaIE6.asp

SecurityFocus
http://online.securityfocus.com/archive/75/215118

--