# $Id: 1290.txt,v 1.1 2002/06/02 18:51:53 cazz Exp $
#
# 

Rule:  
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml autoload attempt"; flags:A+; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; rev:3; reference:url,www.cert.org/advisories/CA-2001-26.html;) 

--
Sid:
1290

--
Summary:
An internet page from an external webserver contained code to load and run readme.eml, which is used as an Infection Vector for the nimda worm.

--
Impact:
The Source Address is likely infected with the Nimda worm. The destination, without adequate AntiVirus protection and the proper patches, may now be infected and may attempt to infect other hosts using this or any of the other infection vectors that the Nimda worm uses.

--
Detailed Information:
More information, including links to other third parties, can be found at CERT http://www.cert.org/advisories/CA-2001-26.html

--
Attack Scenarios:


--
Ease of Attack:
Nimda is a worm, so the attack is automated. Exposure of unprotected systems to the internet has been know to result in an infection within 15minutes.

--
False Positives:
Web pages containing the Javascript as text in a web page may activate this alert. Web-sites detailing Nimda infection vectors may also trigger this event.

--
False Negatives:
Nimda has multiple infection vectors. This rule alone will not detect all instances, especially as the Nimda worm seems to enter phases where it exclusively uses a particular type of infection vector.

--
Corrective Action:
Ensure all servers within your domain are protected to the appropriate patch-levels to mitigate infection and spread of the Nimda worm. Ensure network clients in your domain are also appropriately patched and are running up to date AntiVirus software. The Nimda worm specifically only affects Microsoft Operating Systems.

--
Contributors:
Giles Coochey	Initial Research
Josh Gray	Edits

-- 
Additional References:
http://www.cert.org/advisories/CA-2001-26.html
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/snam_wp.htm
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/NimdaIE6.asp
http://online.securityfocus.com/archive/75/215118


