18 September 2001 Security Advisory

Guys, this is from a security list I trust. I checked with Symantec but they are
not aware of it yet. This virus alert is only a few minutes old (09/18/2001
10:15PDT) . When you browse the web, if at any time the server asks you to
download a readme file: don't do it. If you feel so inclined, please forward
this email to the site's webmaster to inform him/her of the presence of the
w32.nimda.amm virus.

Alert:
Numerous people have reported that on IIS servers infected with w32.nimda.amm, when 
visitors browse to their website the visitor is offered up README.EML, which in turn 
downloads README.EXE to the visitor.
Please, check your IIS boxes now to see if you are infected. I've had reports of IIS 
servers with more than 10,000 .eml files present (mostly as a result of
nimda).
While we don't have any conclusive disinfecting procedures yet, any IIS box that has 
been infected definitely shouldn't be available to clients until we do.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor


LATER THAT DAY

"W32.Nimda.A@mm" affects IIS webservers and asks the user to download a readme.txt file. 
It can also forward itself as an invisible attachment to emails and set your C drive as 
a network share. Symantec engineers have now been working on a fix since about noon PDT today.
For the latest info, check out:
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

It's also called Troj_Nimda. Trend Micro Systems has a free utility you
can download to check if you are infected. It's available at
www.antivirus.com (click on "home users"). I just got an email from
Computerworld (20 seconds ago) which states that this worm is spreading
much faster than the Code Red worm did a few weeks ago.... It's time to
check your machines.
Fredo