GFI
English siteGerman siteItalian siteFrench siteSpanish site
 
 
Products
Register
FAQs
Downloads
Contact us
Resellers
Reseller program
Search
   



Nimda worm: description

Introduction

This new worm took everyone by surprise. It is one of the first few which infect both client and server computers, making it highly effective in spreading out fast, and almost automatically, without the need for interaction from the user’s part. It makes use of 2 security vulnerabilities in Microsoft products, the IIS Unicode Vulnerability as well as another vulnerability in Internet Explorer and Windows Media Player 6.4 (which is included with Windows 2000). This worm also makes use of hosts previously infected by Code-Red II as well as infection through the NETBIOS protocol.

Infection and payload

  1. Through email

This is done by making use of a vulnerability which is now quite old. However, many users will still have not patched their systems and will therefore execute the worm automatically. The original exploit and vulnerability was found by Juan Carlos Cuartango and is detailed at http://www.securityfocus.com/bid/2524. If the user is not vulnerable to this specific exploit, he/she will still be asked if he/she wants to run the file. This ‘feature’ makes infection more probable, since this worm does not only rely on vulnerable client machines.

The worm copies itself to the temp directory and to various other locations, where it creates a file with the contents of the email to be sent. It uses its own built-in SMTP client, rather than Outlook or Outlook Express. The worm reads the contents of the file in the temp directory and mails itself to the email addresses it finds on the client machine.

  1. Through UNICODE and exploited IIS servers

Web servers are infected by client users infected by the worm. This is done using another well-known exploit, Unicode directory traversal in IIS, or by taking advantage of IIS servers infected with CODE-RED II. CODE-RED II creates a backdoor which allows Nimda worm to copy itself to the IIS server as described below.

Upon infection, the worm mails other users and also scans for vulnerable web servers. Once it finds a web server which is vulnerable to the Unicode attack or which has been infected with CODE-RED II, it proceeds to:

                                                               i.      Download Admin.dll via tftp protocol from the infected machine (and now attacker)

                                                             ii.      Add the already available guest account to the local administrators group and enable the guest user. This effectively creates a very obvious backdoor to infected systems.

                                                            iii.      Share C drive is shared as C$, which is a hidden share under WinNT systems. It also seems to share other drives as well.

                                                            iv.      Copy itself to C, D and E drives

                                                              v.      Search for HTML files (htm, html and asp files) and make them redirect to readme.eml, which will infect users visiting the victim website with the worm.

  1. Through Internet Explorer by visiting an infected web server

The same happens as when viewing the email. The worm executable runs automatically on systems with a vulnerable Internet Explorer, and users with patched IE will be asked to run the infectious file. The victim user who is using a vulnerable Internet Explorer will also send emails and infect other IIS servers to disseminate the worm.

4.       Through open shares

It infects other users by searching for open network shares just like many other viruses in Windows environment, such as SirCam worm. It also makes sure that the C drive is shared and world writable using the guest account. The guest account is also added to the administrator’s group, creating an effective backdoor in the infected system.

 

Extra features

  1. Calls itself readme.exe, as does the W32.Apost.Worm@mm worm. This might therefore have escaped the attention of anti-virus researchers until the distribution achieved a noticeable number of infections
  2. Replaces/Infects riched20.dll found in the Windows System directory.
  3. Does not care whether or not the target is an IIS server or any other web server: it will still try to infect the host. This can create Denial of Service on some web servers.
  4. This worm creates heavy traffic on web and mail servers, possibly creating a Denial of Service on the target servers. It might also launch various instances of tftp.exe, slowing down infected IIS web servers. Internet Explorer and the Windows Shell (Explorer.exe) seems to crash on some infected systems possibly due to bugs in the worm itself.
  5. Run upon machine startup by adding an entry to system.ini :

Shell= explorer.exe load.exe –dontrunold

  1. The following string is found in the worm executable :

Concept Virus(CV) V.5, Copyright(C)2001  R.P.China


If you have been infected

The following files will be found:

  • Admin.dll in the scripts directory on your IIS web root as well as on C, D and E drives.
  • Readme.eml and readme.exe can be found in several locations.
  • Possibly random filenames (MEP*.TMP.EXE where * stands for any character) will be found in the TEMP directory defined by variable %TEMP% under WinNT. The file size of these files is 56.0 KB (57,344 bytes).
  • %systemroot%\load.exe. This is a copy of the worm itself which runs upon machine startup.
  • System.ini will have the following entry: Shell= explorer.exe load.exe –dontrunold
  • %systemroot%\mmc.exe
  • sample.nws
  • sample.eml
  • desktop.eml
  • desktop.nws
  • The guest account is added to the administrator’s group.

What to look out for in your server log files

If your server has been scanned by Nimda, you will find the following entries in your log files:

/scripts/root.exe

/MSADC/root.exe

/c/winnt/system32/cmd.exe

/d/winnt/system32/cmd.exe

/scripts/..%5c../winnt/system32/cmd.exe

/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe

/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe

/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe

/scripts/..Á../winnt/system32/cmd.exe

/scripts/..À¯../winnt/system32/cmd.exe

/..Áœ../winnt/system32/cmd.exe

/scripts/..%5c../winnt/system32/cmd.exe

/scripts/..%2f../winnt/system32/cmd.exe

These requests are made to a virtual host named “www”. The request looks similar to the following:

GET /MSADC/root.exe HTTP/1.0

Host: www

Connnection: close

Notice the miss-spelt Connnection with 3 n instances.

Mail Servers should block executables, especially those with the filename README.EXE.



Prevention

WMP and Internet Explorer Patches
http://www.microsoft.com/windows/ie/downloads/critical/q290108/download.asp

IIS 4.0 Patch
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061

IIS 5.0 Patch
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011

GFI’s Mail essentials will by default block all executables on server side. With the updated virus definition files, it will also detect the Nimda worm by its name.


19-Sep-2001
       
   © 2002. All rights reserved. GFI Ltd.
| Home | Products | Support | Purchasing | Downloads | Resellers | Contact GFI |